First Contact
● Notions
● Subjects
● Setting up your environment
● Notable Cases
● Legal Frameworks
● Incident Reporting
● Homework 1
The process used to acquire, preserve, analyze, and report on evidence using
scientific methods that are demonstrably reliable, accurate, and repeatable such
that it may be used in judicial proceedings
(src: NISTIR 8006)
Digital Forensics
● Requires understanding of how Computers operate
○ How they store and access data
○ What communication protocols they use under the hood
○ What security guarantees and mechanisms they offer
● Requires creative and original thinking
○ Connecting different concepts
○ Being able to work with large amounts of data
○ Thinking like an attacker
● Requires the use of the scientific method
○ Careful statements of unambiguous facts
○ Methods that are reproducible and widely accepted
○ Clear presentation of results
We will dive deeper into
● The UNIX operating system and using the command line tools
● How hard disks store and access data
● How memory resources are organized and presented
● How programs are being loaded into memory and executed
● Computer networks and data acquisition from them
● Microsoft windows and android devices
● Browsers and APIs
● Techniques that attackers use to hinder forensics investigations
● Hiding/Finding data in plain sight
● Advanced topics in forensics (Blockchains, Automotive)
Structuring A Forensic Report
● Overview / Case Summary
○ Stating what we know
● Objectives
○ What we are trying to establish / discover
● Evidence analyzed
○ Detailed list of what was given to us with proof of authenticity
● Investigation Steps
○ A detailed timeline of the steps followed
● Findings
○ Presentation of the findings alongside with proof of their authenticity if needed
● Conclusion
Watch on your own

a7dHt9GKUbxD&index=15 6
Structuring Your Class Report
● Please only PDF or TXT
● Use only 3 sections:
○ Overview (state the problem and the data given)
○ Investigation (this should be the bulk of the report, including what you did and why)
○ Findings
● Please include an appendix with relevant screenshots of the findings as well as of
screenshots of critical steps you followed. You can reference the images in the body
of your report
● In the case of a TXT report you can just include a directory with the relevant pictures
in a png or jpg (named {1,2,3,..}.png) format packed with the report in a zip file.
● You MUST follow the structure above when you submit your Homework! You
WILL lose points if you don’t
Setting up a Digital Forensics VM environment
● You will be able to complete all the assignments on your own machine
running a Linux Virtual Machine or Windows Subsystem for Linux (WSL)
● You should use the SANS SIFT workstation vm. If you consider yourself a
very advanced Linux User you could attempt to install the packages in a distro
of your choice.
● For a VM hypervisor we suggest either VMWare Player (free edition) or
Virtualbox. WSL is also a form of hypervisor.
● In case that you are unable to run a Linux VM on your own platform, we will
provide you access to a remote Virtual Machine Hosted on our lab.
Setting up the Hypervisor Option (1):
If you are using Windows:
● Download Player v17.02 from here
● Accept the agreement and add the console tools in the PATH
In case you are running this on a modern CPU: once installed enable the VT-x
extensions by:
● Rebooting your computer and logging into your BIOS menu
● Enable Virtualization Extensions
● Enable Virtualized Direct I/O if present
● Disable trusted execution if using Windows.
Setting up the Hypervisor Option (2):
If you are using Windows:
● Download Oracle Virtualbox for windows from here
● Proceed through the installation and reboot the host
In case you are running this on a modern CPU once installed enable the VT-x
extensions as before
Installing the Virtual Machine: Option (1)/SIFT Workstation
● Download it from here
● To download it you need to create a SANS account
○ Many benefits like access to the weekly cyber security newsletter
○ Better prices for training courses offered by SANS
● Point your hypervisor to the Virtual Machine Image you have downloaded
● Once it is running the default username and password are
○ Username: sansforensics
○ Password: forensics
Most of the the tools we will use in the course are preinstalled in the virtual
Installing the Virtual Machine: Option (2)/any distro
In case you have a linux distribution already make sure you have the following
packages installed:
– Autopsy
– Volatility (v2)
– Sleuthkit
– Wireshark
– Sqlite
– Android debug bridge (adb)
Some Famous Forensics Cases
Famous Case #1 (George Mason University – 1999)
Can someone:
● Use your organization’s resources to send derogatory emails to clients
pretending that they originate from actual users of your organization
● When caught by the authorities, via the use of data collected by your novel
and homegrown intrusion detection system, find flaws in your presentation of
the evidence and sue you back for 4.5M?
yes! 🙂
An example of what can happen through improper use of digital forensics
Famous Case #2 (BTK – 2004-5)
Can metadata help catch serial killers?
● Luckily yes as Dennis Rader, the BTK (for bind, torture, kill) strangler can
attest to.
● Deciding to mock the police many years after his 10+ unsolved murders he
sent them evidence on a floppy disk containing a deleted word document.
● The metadata contained the strings “Dennis” and “Christ Lutheran Church” (in
which he was a deacon)
Famous Case #3 (Brad Cooper, 2014)
Can the mishandling of evidence be such that a person could claim he was framed
for the murder of his wife?
● But then actually admitting he actually murdered her?
Sadly yes as the Brad Cooper case taught us.
● An untrained in DFIR police officer, while attempting to brute force the
password of his phone, manage to delete valuable data
● Luckily another investigator discovered recent google maps searches near
the place that the body was found.
Famous Case #4 (Cliff Stoll vs Markus Hess)
● Cliff Stoll was at the time a sysadmin at LBNL
● While investigating a simple accounting error of 75 cents, he discovered an
unauthorized user that had gained admin access using an exploit in the
movemail function of GNU Emacs.
● Spending months, he traced the attacker first to various defense
contractors and then to the university of Bremen.
● Cliff Stoll setup the first instance of a Honeypot to
lure the attacker (Marcus Hess)
● Markus was found to sell data he was acquiring to the KGB and
received a 20 year sentence
Digital Evidence in Courts
Unlike its physical counterpart digital evidence can be easily modified or
● Until 1993 US courts were using the Frye test to determine if digital evidence
is admissible “expert scientific evidence is admissible only if the scientific
community generally accepts the scientific principles upon which it is based”
● In the famous Daubert case there was a rule (702) added in the Rules for
evidence that allows for an expert witness to assist (in the form of an
opinion) in analyzing/interpreting the evidence (which still must be collected
using scientific methods)
Digital Evidence in Courts (Daubert standard)
Additionally the expert’s opinion is subject to the following checklist
● have the theories and techniques employed by the scientific expert been
● have they been subjected to peer review and publication?
● do the techniques employed by the expert have a known error rate?
● are they subject to standards governing their application?
● do the theories and techniques employed by the expert enjoy widespread
Admissibility of Digital Evidence
Since digital evidence is (or can take the form of) writing (textual data) it is subject
the the Best Evidence Rule, which states that:
● “The original of a document is superior to reproductions”
In the case of digital evidence:
● We have means to establish equality of content (hashing)
● We need to perform actions that don’t mutate the content under investigation
Admissibility of Digital Evidence
Since during the lifetime of digital evidence in computer systems there are many ways to
tamper with it, the International High-Tech Crime Conference in 1999 established the
following guidelines:
● Upon seizing digital evidence, action should not change that evidence
● When it is necessary for a person to access original digital evidence, that person
must be forensically competent
● All activity relating to the seizure, access, storage or transfer of digital evidence
must be fully documented, preserved and available for review
● An individual is responsible for all actions taken with respect to digital evidence
while the digital evidence is in their possession
● Any agency that is responsible for seizing, accessing, storing or transferring digital
evidence is responsible for compliance with these principles.
Legal Frameworks
CFAA: The Computer Fraud and Abuse Act of 1986 (CFAA) is a United States
cybersecurity bill that was enacted in 1986 as an amendment to existing computer
fraud law (18 U.S.C. § 1030), which had been included in the Comprehensive
Crime Control Act of 1984. The law prohibits accessing a computer without
authorization, or in excess of authorization. Prior to computer-specific criminal
laws, computer crimes were prosecuted as mail and wire fraud, but the applying
law was often insufficient.
It is a law designed to address legal and illegal access to federal and financial IT
systems. It was intended to reduce cracking of computer systems and to address
federal computer-related offenses.
Video (7.5mins):
CALEA: Communications Assistance for Law Enforcement Act
The Communications Assistance for law Enforcement Act (CALEA) is a statute enacted
by Congress in 1994 to require that telecommunications carriers and manufacturers of
telecommunications equipment design their equipment, facilities, and services to ensure
that they have the necessary surveillance capabilities to comply with legal requests for
information. CALEA is intended to preserve the ability of law enforcement agencies to
conduct electronic surveillance while protecting the privacy of information outside the
scope of the investigation. In 2005, the Commission extended coverage of CALEA to
include facilities-based broadband Internet access providers and providers of
interconnected Voice over Internet Protocol (VoIP) service.
Video: (18.5 mins)(watch on your own):

Electronic Communications Privacy Act of 1986 (ECPA)
The Electronic Communications Privacy Act and the Stored Wire Electronic
Communications Act are commonly referred together as the Electronic
Communications Privacy Act (ECPA) of 1986. The ECPA updated the Federal Wiretap
Act of 1968, which addressed interception of conversations using “hard” telephone
lines, but did not apply to interception of computer and other digital and electronic
communications. Several subsequent pieces of legislation, including The USA
PATRIOT Act, clarify and update the ECPA to keep pace with the evolution of new
communications technologies and methods, including easing restrictions on law
enforcement access to stored communications in some cases.
The ECPA, as amended, protects wire, oral, and electronic communications while those
communications are being made, are in transit, and when they are stored on computers. The
Act applies to email, telephone conversations, and data stored electronically.
Video (2.5mins):
Homework 1: Setup your Forensics Environment
Pick one of the options we described and setup your environment
Provide a report in a PDF format that:
● States what environment you built (don’t just say Option x, describe
the environment in your own words)
● Provide screenshots after running the following commands. Use ctrl-l
to clear the screen before running each command:
○ whoami
○ df -h
○ uname -r
○ lsblk