DFI News Summer 2013

View the Digital Edition


The Case for Teaching Network Protocols to Computer Forensics Examiners: Part 1
By Gary C. Kessler and Matt Fasulo
Most computer forensics experts are well-versed in basic computer hardware technology, operating systems, common software applications, and computer forensics tools. And while many have rudimentary knowledge about the Internet and simple network-lookup tools, they are not trained in the analysis of network communication protocols and the use of packet sniffers.

The Rise (and Risk) of Modern Media
By Gary Torgersen 
Modern media is changing the forensic process. We are increasingly seeing the need to acquire forensic evidence from tablets, smartphones, GPS devices, flash drives, solid state hard drives, and other devices. They have become a way of life. We use them in business, in our homes, and in our cars.

Forensic Insight into Solid State Drives
By James Wiebe 
SSDs are a game changer for forensic investigators, but insight into their operation can make your case. Tablet, notebook, and desktop computers are expected to have sales of about 600 million units worldwide in 2013, and a substantial portion of those will be built using Solid State Drives (SSDs).

Between a Rock and a Hard Drive
By Douglas Page
The means by which data can be forensically retrieved from badly damaged hard drives is being put to extreme tests in the high-profile Sandy Hook Elementary School shooting case in Newtown, CT. The shooter, Adam Lanza, removed the hard drive from his computer, then smashed it before driving to the school, where he murdered 20 first-grade children and six staff members before killing himself. 

Training is Not Enough: A Case for Education Over Training
By Tim Wedge 
If we make the argument that a degree is necessary in order to be a more effective digital forensic examiner, we need to show a tangible benefit of the time and money spent, particularly when vendor training in digital forensics and forensic tool use may be had for a fraction of the cost, and an even smaller fraction of the time. The case needs to be made not only to aspiring examiners, but also to those who will ultimately hire them.  

Catching the Ghost: How to Discover Ephemeral Evidence through Live RAM Analysis
By Oleg Afonin and Yuri Gubanov 
Until recently it was standard practice to approach running computers with a “pull-the-plug” attitude without recognizing the amount of evidence lost with the content of the computer’s volatile memory. Capturing and analyzing volatile data is essential for discovering important evidence. Making a RAM dump should become a standard operating procedure when acquiring digital evidence before pulling the plug and taking the hard drive out.

Starting A Career in Digital Forensics: Part 2
By John J. Barbara
There is clearly a difference in the type of investigations and examinations being performed versus what are encountered in the public sector. The private sector examiner can be expected to provide evidence to private attorneys, corporations, private investigators, and corporate security departments. 

Book Excerpt: Android Security: Attacks and Defenses
By Abhishek Dubey and Anmol Misra 
To perform forensics on Android devices, it is important to understand the Android system. We need to understand how, where, and what type of data is stored on the device, to perform the actual extraction of useful information.