Digital Forensics Report: Hard Drive Examination Process
VerifiedAdded on 2020/03/28
|8
|2313
|49
Report
AI Summary
This report provides a comprehensive overview of digital forensics, specifically focusing on the examination of a hard drive. It outlines the key steps in a typical forensics process, including seizure, imaging, and analysis. The report delves into the role of a digital forensics examiner, emphasizing the importance of handling original evidence and creating verified copies. It covers various techniques used for data recovery, such as using specialized tools to recover deleted data, keyword searching, and the use of hash signatures and steganography. The report also touches upon electronic discovery (e-discovery) and the significance of metadata in digital evidence. The final section highlights the importance of clear and concise reporting, emphasizing the need for reports that are easily understood by non-technical individuals and the inclusion of audit information. The report concludes by stressing the need for skilled and unbiased digital forensics experts to effectively derive information from digital media for use as evidence in legal proceedings.
Running Head: FORENSICS REPORT 1
Forensics Report
Student’s Name
Institution
Forensics Report
Student’s Name
Institution
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
FORENSICS REPORT 2
Forensics Report
Forensics is the utilization of technology and science for investigation purposes to
establish facts in a civil or criminal court. Digital forensics is a forensics science branch which
compromises of the recovery and investigation of any material that can be found in digital
devices. The information or data which is recovered is usually sourced from digital devices such
as computers or the cloud. Digital forensics was a term used to refer to forensics operations that
were performed on computers but it has been expanded to cover all the devices which store data.
Digital forensics is usually used as evidence in civil or criminal cases. Digital forensics can also
be used by the private sector while they perform intrusion investigations or internal corporate
investigations. In digital forensics, the technical aspect in an investigation is usually divided into
several branches. These branches include network forensics, computer forensics, mobile data
forensics and forensic data analysis (Reith, Carr & Gunsch, 2002). In a typical forensics process
the following procedure will occur. Seizure of the device, forensics imaging which is taking a
copy of the data for analysis so that the device in question is not tampered with and finally
analysis of the data with a report of the findings being presented. A digital forensics examiner is
a professional who has been trained in the subject matter of digital forensics.
We shall look at how a hard disk drive is examined by a digital forensics examiner. The
best kind of evidence to use for forensics is the original evidence. It needs not to have been
tampered with by any parties so that it can yield accurate results on the status and data that is
contained within the hard disk drive. Evidence which is being analyzed should be acted upon on
a verified copy rather than the original piece of hardware. When analyzing a verified copy it will
protect the original piece of hardware from any accidents that might be caused during the
analysis process, any kind of normal accidents such as pouring of liquids on the hard disk drive
Forensics Report
Forensics is the utilization of technology and science for investigation purposes to
establish facts in a civil or criminal court. Digital forensics is a forensics science branch which
compromises of the recovery and investigation of any material that can be found in digital
devices. The information or data which is recovered is usually sourced from digital devices such
as computers or the cloud. Digital forensics was a term used to refer to forensics operations that
were performed on computers but it has been expanded to cover all the devices which store data.
Digital forensics is usually used as evidence in civil or criminal cases. Digital forensics can also
be used by the private sector while they perform intrusion investigations or internal corporate
investigations. In digital forensics, the technical aspect in an investigation is usually divided into
several branches. These branches include network forensics, computer forensics, mobile data
forensics and forensic data analysis (Reith, Carr & Gunsch, 2002). In a typical forensics process
the following procedure will occur. Seizure of the device, forensics imaging which is taking a
copy of the data for analysis so that the device in question is not tampered with and finally
analysis of the data with a report of the findings being presented. A digital forensics examiner is
a professional who has been trained in the subject matter of digital forensics.
We shall look at how a hard disk drive is examined by a digital forensics examiner. The
best kind of evidence to use for forensics is the original evidence. It needs not to have been
tampered with by any parties so that it can yield accurate results on the status and data that is
contained within the hard disk drive. Evidence which is being analyzed should be acted upon on
a verified copy rather than the original piece of hardware. When analyzing a verified copy it will
protect the original piece of hardware from any accidents that might be caused during the
analysis process, any kind of normal accidents such as pouring of liquids on the hard disk drive
FORENSICS REPORT 3
or tampering of the hard disk drive. If there is a verified copy it will allow for analysis and also it
will ensure that if the original hardware is destroyed there is a verified copy which can be
admissible in any investigations or court cases. A digital forensics examiner will be supplied
with a hard disk drive which is seized from a suspect or the premises of a suspect. During seizure
of the hard disk drive there should be a lot of caution to ensure that the drive is not harmed or
tampered with in a way that might cause the data to be inadmissible or corrupted.
After seizure of the drive it is given to the digital forensics examiner who makes an exact
duplicate of the media. The sector level duplicate drive which will be created is usually made
through the use of a write blocking device. Duplicating of the drive is known as acquisition or
imaging and it can be done with the use of a software imaging tool or a hard drive duplicator
(Adams, 2012). The imaging tools may include IXimager, FTK imager or TrueBack. The image
which is to be acquired is usually verified by the use of MD5 or SHA-1 hash functions. Hashing
is the process of verifying the image with a hash function to ensure the media or evidence is in
its original state. Data validation is the process utilized in ensuring that a computer program is
operating on correct, useful and clean data. In the data validation process there are routines such
as check routines, validation rules or validation constraints which are present to check and
establish the security, correctness and meaningfulness of data which has been fed to a system.
The rules which are used to ensure data validation is a success can be implemented by use of an
explicit application program which utilizes validation logic or a data dictionary.
When the hard disk drive is acquired the image files are looked into and analyzed for the
purpose of identifying evidence which can support their hypothesis or go contrary to their
hypothesis. The analysis also tries to find out where there are any signs of tampering which
might lead to loss or hiding of data. The digital forensics examiner can recover material which
or tampering of the hard disk drive. If there is a verified copy it will allow for analysis and also it
will ensure that if the original hardware is destroyed there is a verified copy which can be
admissible in any investigations or court cases. A digital forensics examiner will be supplied
with a hard disk drive which is seized from a suspect or the premises of a suspect. During seizure
of the hard disk drive there should be a lot of caution to ensure that the drive is not harmed or
tampered with in a way that might cause the data to be inadmissible or corrupted.
After seizure of the drive it is given to the digital forensics examiner who makes an exact
duplicate of the media. The sector level duplicate drive which will be created is usually made
through the use of a write blocking device. Duplicating of the drive is known as acquisition or
imaging and it can be done with the use of a software imaging tool or a hard drive duplicator
(Adams, 2012). The imaging tools may include IXimager, FTK imager or TrueBack. The image
which is to be acquired is usually verified by the use of MD5 or SHA-1 hash functions. Hashing
is the process of verifying the image with a hash function to ensure the media or evidence is in
its original state. Data validation is the process utilized in ensuring that a computer program is
operating on correct, useful and clean data. In the data validation process there are routines such
as check routines, validation rules or validation constraints which are present to check and
establish the security, correctness and meaningfulness of data which has been fed to a system.
The rules which are used to ensure data validation is a success can be implemented by use of an
explicit application program which utilizes validation logic or a data dictionary.
When the hard disk drive is acquired the image files are looked into and analyzed for the
purpose of identifying evidence which can support their hypothesis or go contrary to their
hypothesis. The analysis also tries to find out where there are any signs of tampering which
might lead to loss or hiding of data. The digital forensics examiner can recover material which
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
FORENSICS REPORT 4
can be used as evidence in a number of ways. They first use tools which enable them to recover
data from the device being investigated on. The examiners can utilize tools such as FTK and
EnCase to help them recover and view data that is on a hard disk drive (Carrier, 2001). The data
that is recovered during a digital forensics process can vary depending on the type of
investigation which is being undertaken. The data being recovered can include emails, images,
documents and internet history. A digital forensics examiner with the use of specialized tools
enables them to recover data from a hard disk drive at a more in depth level. Apart from the
normal saved files, they can be able to recover data from the operating system cache, metadata
and even deleted data. This ensures that any kind of data even though it may have been deleted
can be recovered by the examiner and used during an investigation.
The techniques used by digital forensic examiners for recovery of evidence usually are
done through methods such as keyword searching from an image file to pinpoint any data types
or relevant information that match with what you may be looking for. A file such as a graphic
image contain a set of bytes which are specific to it and help in identifying the end and beginning
of a file. Through the use of these bytes a deleted file can be reconstructed so that the data which
had been deleted can be viewed by the examiner and can be used as evidence in an investigation.
Hash signatures are usually what forensic tools utilize to identify specific types of data in digital
forensics. It enables the examiner to have an easier time searching for the kind of data they wish
to achieve if they know what they are looking for. Steganography is the practice or process of
hiding an image, file, video or message inside another video, image, message or file.
Steganography is used when an individual does not want some information to be identified by
other people unless he or she wants them to. In steganography the hidden information is
disguised or placed to look as part of the original information (Fridrich, Goljan & Soukal, 2004).
can be used as evidence in a number of ways. They first use tools which enable them to recover
data from the device being investigated on. The examiners can utilize tools such as FTK and
EnCase to help them recover and view data that is on a hard disk drive (Carrier, 2001). The data
that is recovered during a digital forensics process can vary depending on the type of
investigation which is being undertaken. The data being recovered can include emails, images,
documents and internet history. A digital forensics examiner with the use of specialized tools
enables them to recover data from a hard disk drive at a more in depth level. Apart from the
normal saved files, they can be able to recover data from the operating system cache, metadata
and even deleted data. This ensures that any kind of data even though it may have been deleted
can be recovered by the examiner and used during an investigation.
The techniques used by digital forensic examiners for recovery of evidence usually are
done through methods such as keyword searching from an image file to pinpoint any data types
or relevant information that match with what you may be looking for. A file such as a graphic
image contain a set of bytes which are specific to it and help in identifying the end and beginning
of a file. Through the use of these bytes a deleted file can be reconstructed so that the data which
had been deleted can be viewed by the examiner and can be used as evidence in an investigation.
Hash signatures are usually what forensic tools utilize to identify specific types of data in digital
forensics. It enables the examiner to have an easier time searching for the kind of data they wish
to achieve if they know what they are looking for. Steganography is the practice or process of
hiding an image, file, video or message inside another video, image, message or file.
Steganography is used when an individual does not want some information to be identified by
other people unless he or she wants them to. In steganography the hidden information is
disguised or placed to look as part of the original information (Fridrich, Goljan & Soukal, 2004).
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
FORENSICS REPORT 5
Steganography as compared to cryptography does not attract a lot of attention because
information is displayed in plain sight to look as part of a whole. A good example of
steganography is the use of invisible ink in-between the lines of a private letter which is visible.
Steganography mainly is comprised of concealing a message and its content. In a hard disk drive
steganography can be used to conceal information inside computer files. Media files have been
identified as very key elements in the use of steganography because of their large sizes. After
recovered data is analyzed conclusions are drawn from it which are recorded in the forensics
report. The reports and conclusions which are presented by digital forensics examiners need to
be based on the data they acquired and their expert knowledge in the field of digital forensics.
Electronic discovery which is also known as e discovery is the process of finding
information in legal proceedings which include government investigations, Freedom of
Information Act or litigation requests where information is searched for and presented in an
electronic format. Information which is in an electrical format is deemed as different when
compared to paper or hard copy information because of its persistence, intangible form,
transience and volume. Electronic information usually has metadata which is an attribute that is
not present in paper information. Metadata can be a key factor especially in digital forensics
because it provides the time and date in which a document was created. This kind of information
is very hard to get from paper information unless it is specifically included. Paper information
can also include a time and date but it might be present to deter a case or proceedings in a case.
Metadata is more accurate and reliable because it will always be recorded and input from a
systems or computers time and date which is usually accurate and automatically updated.
Preserving of metadata which is present in electronic documents prevents spoilage by creating
special challenges. Electronic discovery plays a key role in cases or investigations which rely on
Steganography as compared to cryptography does not attract a lot of attention because
information is displayed in plain sight to look as part of a whole. A good example of
steganography is the use of invisible ink in-between the lines of a private letter which is visible.
Steganography mainly is comprised of concealing a message and its content. In a hard disk drive
steganography can be used to conceal information inside computer files. Media files have been
identified as very key elements in the use of steganography because of their large sizes. After
recovered data is analyzed conclusions are drawn from it which are recorded in the forensics
report. The reports and conclusions which are presented by digital forensics examiners need to
be based on the data they acquired and their expert knowledge in the field of digital forensics.
Electronic discovery which is also known as e discovery is the process of finding
information in legal proceedings which include government investigations, Freedom of
Information Act or litigation requests where information is searched for and presented in an
electronic format. Information which is in an electrical format is deemed as different when
compared to paper or hard copy information because of its persistence, intangible form,
transience and volume. Electronic information usually has metadata which is an attribute that is
not present in paper information. Metadata can be a key factor especially in digital forensics
because it provides the time and date in which a document was created. This kind of information
is very hard to get from paper information unless it is specifically included. Paper information
can also include a time and date but it might be present to deter a case or proceedings in a case.
Metadata is more accurate and reliable because it will always be recorded and input from a
systems or computers time and date which is usually accurate and automatically updated.
Preserving of metadata which is present in electronic documents prevents spoilage by creating
special challenges. Electronic discovery plays a key role in cases or investigations which rely on
FORENSICS REPORT 6
digital forensics in providing crucial evidence. When data is discovered it can be presented as
valid evidence in a case which can be crucial in ensuring a win or lose in the case proceedings.
E- discovery should be treated as a crucial element in digital forensics as it plays a big role in
ensuring the needed information from the investigations is achieved.
Reporting and presentation is usually the last step in any digital forensics process. It is the
process in which the digital examiner presents his or her findings and explains them to the
needed individuals in a very simple manner as to what they found. Digital forensics can be a
complex procedure and the terms used by technical professionals can easily be confusing or
misunderstood. It is therefore very important that the report presented by the digital forensics
examiner be very clear and concise for the purpose of ensuring that individuals who read it
understand what exactly the digital forensics examiner discovered. Reports from a digital
forensics investigation need to be presented in a form which is easily understood by non-
technical persons. Reports from digital forensics investigations may also include meta
documentation and audit information (Horenbeeck, 2006). The report usually details all the steps
and procedures in which the digital forensics examiner took during the analysis of the hard disk
drive. The procedures need to be appropriate and evaluated to ensure that the whole process was
done professionally for it to yield credible results which can be used in court. The digital
forensics report is usually presented to the people in charge of the case or the individuals who
commissioned the forensics examiner to perform their job. The individuals who receive the
report such as lawyers in court will examine it and determine whether it can be critical and viable
evidence to use in court. The evidence can be presented in court through a written report and
accompanying digital media which can give the court more information on the digital examiners
findings. The report is very important because it will contain the information needed to be used
digital forensics in providing crucial evidence. When data is discovered it can be presented as
valid evidence in a case which can be crucial in ensuring a win or lose in the case proceedings.
E- discovery should be treated as a crucial element in digital forensics as it plays a big role in
ensuring the needed information from the investigations is achieved.
Reporting and presentation is usually the last step in any digital forensics process. It is the
process in which the digital examiner presents his or her findings and explains them to the
needed individuals in a very simple manner as to what they found. Digital forensics can be a
complex procedure and the terms used by technical professionals can easily be confusing or
misunderstood. It is therefore very important that the report presented by the digital forensics
examiner be very clear and concise for the purpose of ensuring that individuals who read it
understand what exactly the digital forensics examiner discovered. Reports from a digital
forensics investigation need to be presented in a form which is easily understood by non-
technical persons. Reports from digital forensics investigations may also include meta
documentation and audit information (Horenbeeck, 2006). The report usually details all the steps
and procedures in which the digital forensics examiner took during the analysis of the hard disk
drive. The procedures need to be appropriate and evaluated to ensure that the whole process was
done professionally for it to yield credible results which can be used in court. The digital
forensics report is usually presented to the people in charge of the case or the individuals who
commissioned the forensics examiner to perform their job. The individuals who receive the
report such as lawyers in court will examine it and determine whether it can be critical and viable
evidence to use in court. The evidence can be presented in court through a written report and
accompanying digital media which can give the court more information on the digital examiners
findings. The report is very important because it will contain the information needed to be used
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
FORENSICS REPORT 7
in court or in an investigation as evidence. It should therefore reflect the findings from the digital
forensics examiner and should be written in a professional format.
From the analysis and undertaking of commencing a digital forensics investigation on a
hard disk drive we can identify that the process requires a skilled individual in the field for it to
be effective and achieve viable results which can be used in court. The digital examiner needs to
be someone who is experienced and non-bias to ensure that the report in which he or she comes
up with is viable and can be relied upon as concrete evidence. With technology being used in
more fields every day even in causing crimes it is deemed fit to have digital forensics experts
who are able to derive information from digital media for the purpose of presenting it as
evidence in a case (Eoghan, 2004). The tools and equipment utilized in digital forensics vary
depending on the case and hardware in question. It is therefore important for the digital forensics
examiner to always have the necessary equipment which will place them in a strategic position to
accurately perform their task and retrieve the required data during a forensics investigation. It is
therefore very important to ensure the whole digital forensics process is carried out by a
professional and that the report which is prepared is accurate based on the investigations and can
be easily understood by non-technical individuals.
in court or in an investigation as evidence. It should therefore reflect the findings from the digital
forensics examiner and should be written in a professional format.
From the analysis and undertaking of commencing a digital forensics investigation on a
hard disk drive we can identify that the process requires a skilled individual in the field for it to
be effective and achieve viable results which can be used in court. The digital examiner needs to
be someone who is experienced and non-bias to ensure that the report in which he or she comes
up with is viable and can be relied upon as concrete evidence. With technology being used in
more fields every day even in causing crimes it is deemed fit to have digital forensics experts
who are able to derive information from digital media for the purpose of presenting it as
evidence in a case (Eoghan, 2004). The tools and equipment utilized in digital forensics vary
depending on the case and hardware in question. It is therefore important for the digital forensics
examiner to always have the necessary equipment which will place them in a strategic position to
accurately perform their task and retrieve the required data during a forensics investigation. It is
therefore very important to ensure the whole digital forensics process is carried out by a
professional and that the report which is prepared is accurate based on the investigations and can
be easily understood by non-technical individuals.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
FORENSICS REPORT 8
References
Adams R. (2012). The Advanced Data Acquisition Model (ADAM): A process model for digital
forensic practice.
Carrier B. (2001). Defining digital forensic examination and analysis tools. Digital Research
Workshop II.
Eoghan C. (2004). Digital Evidence and Computer Crime. Second Edition. Elsevier.
Fridrich J., Goljan M. & Soukal D. (2004). Searching for the Stego Key. Proc. SPIE, Electronic
Imaging, Security, Steganography and Watermarking of Multimedia Contents. VI. 5306:
70 – 82.
Horenbeeck M. (2006). Technology Crime Investigation.
Reith M., Carr C. & Gunsch G. (2002). An examination of digital forensic models. International
Journal of Digital Evidence.
References
Adams R. (2012). The Advanced Data Acquisition Model (ADAM): A process model for digital
forensic practice.
Carrier B. (2001). Defining digital forensic examination and analysis tools. Digital Research
Workshop II.
Eoghan C. (2004). Digital Evidence and Computer Crime. Second Edition. Elsevier.
Fridrich J., Goljan M. & Soukal D. (2004). Searching for the Stego Key. Proc. SPIE, Electronic
Imaging, Security, Steganography and Watermarking of Multimedia Contents. VI. 5306:
70 – 82.
Horenbeeck M. (2006). Technology Crime Investigation.
Reith M., Carr C. & Gunsch G. (2002). An examination of digital forensic models. International
Journal of Digital Evidence.
1 out of 8
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.