Firefox (version 16.0.2) typically includes twelve SQLite databases, each of which performs a different function such as to store bookmarks, cookies, places visited, searches, and so forth.
The majority of potential forensic information from Firefox does not reside in the Windows Registry, but rather in two directories located in the individual User account(s).
The most prevalent software applications in use today are probably Web browsers. Although browsers are complex software applications, they have common functionality regarding their main components.
Security Identifiers (SIDs) are unique alphanumeric character strings of variable length that are assigned during the log-on-process to each user on a stand-alone system or to each user, group, and computer on a domain-controlled network.
Registry Keys track each mounted volume and assigned drive letter used by the NTFS file system. Information concerning any external devices that had previously been attached to the system will be recorded in certain Registry Keys.
Artifacts are items of data or information left behind after a specific activity occurs on a system. Any USB device attached to a system will leave artifacts in several locations.
There are several techniques that can be used to examine the Registry, each of which has its own merits.
A typical Windows 7 Registry consists of at least five Hives, each of which performs a different function.
Many forensic examiners are not familiar with the Registry or its forensic importance. One way to gain first-hand knowledge is to explore the Registry on a live, non-forensic computer.
While the Windows Registry is forensically important, frequently it is not captured during the triage of a live system. Similarly, it is often overlooked during post-mortem examinations.
Analyzing a SIM card can provide the geographical location(s) where the SIM card, the phone, and the owner of the phone (suspect) may have been.
Although a thorough discussion of all the potential evidence that could be on a SIM card is beyond the scope of this column, some of that information will be discussed in this and a future column.
SIMs are found in GSM, iDEN, and Blackberry handsets. Under the GSM framework, a cell phone is termed a Mobile Station, consisting of a SIM card and a handset. From an investigative perspective, one useful feature of a SIM card is that it can be moved from one GSM compatible phone to another.
Cell phones can and do store data or information that the user may not be aware of. It should come as no surprise that this can provide a tremendous amount of potential probative information (evidence) to investigators.
Familiarity with the five main cell phone operating systems can aid your investigation.
Telephone technology has evolved by leaps and bounds. It is important to understand some of the key terminology used when discussing cellular phones and other mobile devices.
Triage tools vary greatly in their technical and operational performance capabilities.
Triaging a computer allows investigators to gather volatile data that would be lost by pulling the plug on a live system.
Collecting a computer into evidence requires careful consideration.
The confusion concerning the Digital and Multimedia Evidence Sub-Disciplines suggests the Discipline should be revised.
Can we clearly differentiate whether an examination falls under Computer Forensics, Forensic Audio, Image Analysis, or Video Analysis?
Cloud computing raises some unique law enforcement concerns regarding the location of potential digital evidence, its preservation, and its subsequent forensic analysis.
The examination of a computer’s hard drive without an additional warrant may become problematic.
Pertaining to the seizure of digital devices, there is some misunderstanding concerning what “executing the warrant within ten days” actually means.
This issue, we take a look at the general categories of anti-digital forensics.