File | Description | Size | Format | |
---|---|---|---|---|
2.99 MB | Adobe PDF |
Items in BURA are protected by copyright, with all rights reserved, unless otherwise indicated.
Chris Sanders
Information Security Analyst, Author, and Instructor
In September of this year, I successfully defended my doctoral dissertation, earning the title of Doctor of Education from Baylor University. In this post, I’m sharing the entirety of that dissertation freely to benefit the information security community. I’ll also provide recommendations on relevant sections of the work based on your role. Finally, I’ll talk a bit about the past, present, and future of my research.
I believe this dissertation represents a significant step forward in understanding the cognitive skills that high-performing analysts rely on when conducting security investigations. The findings here help establish analytic doctrine and should yield significant improvements in how analysts are trained when considered thoughtfully by educators. Similarly, analysts who better understand their own cognitive skills stand to increase their metacognitive awareness. This knowledge has the potential to improve analyst performance as well as their ability to communicate with peers and mentor less experienced practitioners. This paper also further establishes the field of human-centric investigation theory research.
Let’s get straight to the point. You can download my complete dissertation paper for free at the link below.
DOWNLOAD: The Analyst Mindset: A Cognitive Task Assessment of Digital Forensic Analysts
Despite significant investment in cyber security, the industry is unable to stem the tide of damaging attacks against computer networks. This unfortunate situation is, in part, because cyber security exists in a state of cognitive crisis defined by tacit knowledge and poorly understood processes. At the heart of the crisis are digital forensic analysts that identify and investigate intrusions. Unfortunately, even skilled analysts in these roles are often unable to explain how they go about the process of finding intruders and assessing their foothold on a network. Without this knowledge, professional and academic educators are unable to build a standardized industry-accepted curriculum for the identification and training of new analysts. While there have been some attempts to inventory the skills, processes, and knowledge required to serve in the digital forensic analyst role, no current efforts provide a thorough, research-backed accounting of the profession with consideration for cognitive skill elements.
This problem of practice study details a cognitive skills assessment of the digital forensic analyst profession by leveraging two Cognitive Task Analysis (CTA) research methods. The Simplified Precursor, Action, Result, Interpretation (PARI) method provided a framework for eliciting procedural skills, and the Critical Decision Method (CDM) supported the discovery of decision-making skills. Using these techniques, interviews conducted with expert analyst practitioners revealed four unique procedural skill categories, characteristics of two significant facets of analyst decision making, and numerous subcategory elements that describe additional dimensions of expert analyst performance. The results converged on a model of diagnostic inquiry that represents the relationships between how analysts formed investigative questions, interpreted evidence, assessed the disposition of events, and chose their next investigative actions. These findings establish explicit knowledge that provides a foundational understanding of how skilled analysts perform investigations. They also lay new groundwork for cyber security’s emergence from its cognitive crisis, with implications for educators and practitioners alike.
If you’re reading this as an information security practitioner, I recommend reading Chapter 1 (Introduction) for an overview, Chapter 2 (Literature Review) for background information, and then focusing on Chapter 4 (Findings) and the appendices referenced in it. Keep in mind that it is a research document, not a teaching document. It describes the process and results of my research on analyst cognitive processes and is narrowly scoped to the findings that I uncovered. These findings have significant value to analysts and those who support them but are not necessarily meant to be handed to an entry-level analyst on their own. If you want to learn to be an analyst, I recommend my Investigation Theory class, where much of my research (including this dissertation) manifests with learning in mind. It is here that these concepts are scaffolded by other relevant knowledge, paired with examples and demonstrations, and tied to specific learning objectives so that analysts can wield them properly.
If you’re reading this as an educator, then I recommend reading Chapter 1 (Introduction), Chapter 4 (Findings), and Chapter 5 (Distribution of Findings) . My primary goal with this research was to identify analyst cognitive skills so that we may better teach those skills to others. I expect that this work will find a home in many community college and university courses that have investigative components. If you do end up building curriculum components around these concepts, I’d love to hear about your approach .
If you’re reading this as an academic researcher, then I recommend reading the entire document so that you may understand my methods as well as the results I uncovered. I put extra effort into describing my cognitive task analysis strategy. My experience as a 15+ year practitioner before moving into the academic research space is atypical but allowed me to conduct this research through a unique lens that would not be possible by researchers lacking professional experience. I tried my best to elaborate on my research methods to highlight how I deployed my expertise to design the study and conduct data collection and analysis. I hope this work will help bring the academic and practitioner communities closer together.
I struggled tremendously when I first began my analyst career. I could not understand how investigators took inputs and used them to pivot between various data sources and find evidence of compromise. I distinctly remember sitting in a state of paralysis, starting at a blank search bar, not knowing what to do next. I didn’t have access to many highly skilled people, and those who were could not effectively explain how they connected the dots. I was told to watch how they did their work, play around in the data, and I would eventually figure it out. I eventually did figure it out, but that path was much longer and more frustrating than it should have been. Worse yet, I was continually told that good analysts were born with a particular set of traits, and without them, someone’s chance of doing the job well was limited.
Over time, I recognized that information security is in a state of cognitive crisis. So much of the knowledge we rely on is tacit and unavailable to those seeking the practice this craft. That negatively affects everyone attempting to enter the field, but it affects those who are already marginalized even more. As my interests turned from computers to the humans using them, I felt a desire to make these tacit processes explicit, which led me on a long and challenging journey that included researching and writing the dissertation you see attached to this post. Along this path, I learned that digital forensic investigations are not art, although there is room for creativity to guide an analyst’s path. I also learned that digital forensic investigations are not science, but we can use scientific processes to study how humans can better bridge the gap between perception and reality. Digital forensic analysis is engineering. With the right people in the room asking the right questions, nothing a computer does cannot be explained. That means that the only thing standing between me and knowing what happened is my own ability to understand evidence and behavior. These realizations empowered me, dramatically changed my career trajectory, and are why you’re reading this.
I once read that everything exciting happens on the fringes of where two things meet; the middle is boring because everything is the same. While I’m not sure I agree with that idea completely, I know that most of my professional curiosity is stimulated at the borders shared by cyber security, cognitive psychology, and education. Every investigation involves a human sitting at a console looking at data. Ultimately, those humans have the most to say about whether a compromise is fully discovered and contained.
Paul L. Kirk was a biochemist, criminologist, and early pioneer of forensic science. He was also a successor of Edmund Locard, who is considered by many to be the father of modern forensic science. In 1953, Kirk invoked Locard’s Exchange Principle when he wrote a now-famous quote describing the relationship between an investigator, a criminal, and the evidence they leave behind. I’ve taken the liberty of updating his quote to make it more relevant to modern digital forensics.
Wherever they pivot, whatever they access, whatever they leave behind, even unconsciously, will serve as a silent witness against them. Not only their authentications or their executions, but the packets they transmit, the files they change, the tool marks they leave, and the data they upload or download. All of these and more bear mute witness against them. This is evidence that does not forget. It is not confused by the excitement of the moment. It is not absent because human witnesses are. It is factual evidence. Digital evidence cannot perjure itself and it cannot be wholly absent. Only human failure to find, study, and understand evidence can diminish its value. Chris Sanders, Revised from Paul L. Kirk (1953)
I find the last line of that quote (unchanged from its original version) the most impactful. Ultimately, many of the issues cyber security faces in its cognitive crisis are education problems. We must better understand how and why experts do the things they do to teach them to other people and refine them; something that we’re currently failing at.
Therefore, cyber security is the medium for my work, cognitive psychology provides the framework for understanding how analysts perform, and my findings are expressed through education. My choice to pursue a doctorate in education was primarily focused on the outputs I hope to achieve from my research; a more clear establishment of the human-centric investigation theory research field, a more formal digital forensics analytic doctrine, and the methods to help people learn that doctrine.
While a doctorate is a terminal degree, the document encapsulating it is only the beginning. I plan to continue my research focused on different facets of how analysts perform investigations and strategies for teaching investigation concepts. As a matter of fact, I have ongoing research projects as you read this post.
As part of this continued work, I’m seeking research partners who might want to work or collaborate. This includes:
Please contact me directly if you are interested in either of these opportunities.
While my acknowledgments are included in the dissertation document itself, I thought it important to also include them here just like I do with in all the blog posts that have accompanied the release of my books.
I would like to thank the people who helped make this document possible and contributed to the positive step forward it represents. First and foremost, thank you to my wife Ellen, who I kept awake countless nights by storming into the bedroom rambling on and on about the ideas running through my head following late classes.
Nobody becomes a scholar alone, and I was fortunate to have several amazing people on this journey with me. I want to extend my gratitude to my doctoral colleagues who made this whole experience more enjoyable. I also want to thank my instructors at Baylor who shepherded me along this scholarly experience, with special thanks to my advisor, Dr. Sandi Cooper. I don’t fit the mold of a typical education student, and I appreciate all of you opening up your mind to learn from me as I did from you.
I want to pay special tribute to my students, whose success helps motivate me, including anyone who has ever taken one of my classes, read one of my books, or sat in on one of my conference presentations. Additionally, I want to thank my colleagues that served as sounding boards and provided feedback on my ideas.
This whole project started over a decade ago when I was a struggling young analyst trying to learn the craft. Someone told me that you are either born with the skills needed to do this job, or you are not. I thought that was nonsense, and I have spent the rest of my career gathering the knowledge and data to prove it. The document you are about to read is a step along that path. I don’t remember the name of the person who told me that, but I want to thank them too.
You can download my complete dissertation paper for free at this link .
The paper will be available in the Baylor and ProQuest databases on December 19th, 2021/
You may cite this work as:
Sanders, C. (2021). The analyst mindset: A cognitive task assessment of digital forensic analysts [Doctoral dissertation, Baylor University]. https://chrissanders.org
Your email address will not be published. Required fields are marked *
Notify me of follow-up comments by email.
Notify me of new posts by email.
This site uses Akismet to reduce spam. Learn how your comment data is processed .
This article serves as a compass, guiding readers through a diverse array of recent dissertation topics that encapsulate the multifaceted nature of forensic research. From digital forensics to forensic psychology, the chosen dissertation topics reflect the evolving challenges and advancements in solving complex legal puzzles.
Forensic DNA Analysis:
Digital Forensics:
Forensic Anthropology:
Forensic Toxicology:
Forensic Psychology:
Forensic Pathology:
Forensic Odontology:
Forensic Entomology:
Reader interactions.
January 7, 2024 at 2:22 am
thank you for this post. I needed to submit a topic for my dissertation on Monday and you guys saved me big time
Program at a glance.
Learn more about the cost to attend UCF.
The master’s in digital forensics program provides you with the latest techniques and hands-on approaches to analyzing computers and other types of digital media. The program’s coursework examines the various methods used to determine whether something has been used for illegal or unauthorized activities, or has fallen victim to an illegal attack. Upon graduating, you’ll have the knowledge and skills required to work as an examiner in the field or continue on to a doctoral degree or law school. Gain employment in a number of industries from government to law enforcement to the private sector. This program also prepares you for certification exams, including CompTIA A+, GIAC Security Essentials and CompTIA Network+.
Designed to help you balance school, work and life, the UCF Online digital forensics program is available 100 percent online. Please note that if you choose the thesis option, you will be required to have a one-time on-campus thesis defense before you can graduate. UCF also provides a Computer Forensics Graduate Certificate , which requires completing 12 credit hours.
The Master of Science in Digital Forensics degree is a collaborative effort between various UCF academic departments — Computer Science, Forensic Science of Chemistry, Criminal Justice and Legal Studies — and the National Center for Forensic Science. The National Center for Forensic Science is a State of Florida Type II Center and a member of the National Institute of Justice Forensic Resource Network of the Department of Justice, serving the needs of state and local law enforcement and forensic scientists.
Ready to get started, course overview, computer forensics i.
Explore legal issues regarding seizure and chain of custody, and technical issues in acquiring computer evidence. You’ll examine popular file systems, as well as reporting issues in the legal system.
Cover a range of topics related to security incidents and intrusions, including identifying and categorizing incidents, responding to incidents, log analysis, network traffic analysis and tools.
Analyze computer malicious codes, such as virus, worm, trojan, spyware, and software vulnerabilities, such as buffer-overflow.
UCF’s Master of Science in Digital Forensics program is designed for those with a bachelor’s degree in computer science (CS), computer engineering, information technology (IT) or a closely related field.
Students with a BS and/or MS in areas other than a computer-related field need to show either they have taken some basic CS/IT courses or training, or have working experience in CS or IT or digital forensics field.
To apply, submit the general graduate admissions requirements and the following:
Check out more stories
Enter your information below to receive more information about the Digital Forensics (MS) program offered at UCF.
The mission of the MSDF degree program is to provide a quality graduate education in science and practices of digital forensics, to prepare the students for digital forensics jobs, and to prepare the students for a lifetime of learning. The objectives of the program include the following:
The Digital Forensics MS degree is comprised of 30 hours of study beyond the bachelor's degree with required, intensive specialization in topics related to digital forensics. The degree program prepares students, including working professionals, who will pursue the degree on a part-time basis to gain the knowledge and skills required to work as an examiner in the field. The program may also be taken by those who have an interest in scientific applications and research in the field, and who would like to continue to a doctoral degree program or law school after completion.
The program offers both a thesis option (6 credit hours) or an opportunity to complete two additional courses (6 credit hours) selected from the Restricted Electives. At least one-half of the credit hours must be at the 6000 level.
Total Credit Hours Required: 30 Credit Hours Minimum beyond the Bachelor's Degree
Please note: Digital Forensics (MS) may be completed fully online . Most courses are either online courses or have both in-campus and online course sessions. Newly admitted students choosing to complete this program exclusively via UCF online classes may enroll with a reduction in campus-based fees.
International students (F or J visa) are required to enroll in a full-time course load of 9 credit hours during the fall and spring semesters. Only 3 of the 9 credit hours may be taken in a completely online format. It could be difficult to satisfy these requirement since many courses in this program only have online format. Please contact Program Coordinator to discuss possible admission issue.
UCF is not authorized to provide online courses or instruction to students in some states. Refer to State Restrictions for current information.
Undergraduate articulation courses may be required for students with BS and/or MS degrees in fields other than a computer-related field. If you are not in STEM related BS program, you need to show either you have taken some basic CS/IT courses, or have working experience in CS or IT or digital forensics field. If you want to take some prerequisite courses, you can take two to three of the following courses in UCF or equivalent courses in other places:
Courses taken to correct deficiencies cannot be used to satisfy minimum degree requirements.
Required courses.
Application requirements, financial information.
Graduate students may receive financial assistance through fellowships, assistantships, tuition support, or loans. For more information, see the College of Graduate Studies Funding website, which describes the types of financial assistance available at UCF and provides general guidance in planning your graduate finances. The Financial Information section of the Graduate Catalog is another key resource.
Fellowships are awarded based on academic merit to highly qualified students. They are paid to students through the Office of Student Financial Assistance, based on instructions provided by the College of Graduate Studies. Fellowships are given to support a student's graduate study and do not have a work obligation. For more information, see UCF Graduate Fellowships, which includes descriptions of university fellowships and what you should do to be considered for a fellowship.
The Independent Learning Requirement is met by successful completion of a master's thesis or completing the capstone course CIS 6207.
‘Digital forensics’ represents the collection of digital investigation techniques used for crime-based applications. It is a sophisticated platform to analyze evidence in digital format for legal issues. The main aim of this technology is to examine the computer-oriented criminal activities caused by intruders/hackers on digital information through different methodologies. The investigation and evaluation techniques of the pieces of evidence should meet the reliability and sound technical practices. This page gives you more information on new advances in the Forensics research field with the latest Digital Forensics Thesis ideas and tools !!!
Due to the increased growth of digital innovations, digital forensics is currently used in all information technology and computer-aided systems. So, it grabs the attention of the majority of scholars to begin their research careers.
Based on the current demand and research issues of digital forensics , we have collected a vast amount of Digital Forensics Thesis Ideas for current and upcoming scholars. For your information, here we have given you a few tips to select the best thesis idea for your forensics research.
With an intention to find the actual incident, digital forensic agents investigate collected event data like artifacts, footprints, fingerprints, etc. At the end of the investigation, the agent come to conclusion based on discovered evidence. Further, it also includes the following advantages,
How does digital forensics work?
In general, the digital forensics field primarily envisioned analyzing web-based cybercrime. Also, they are adept to collect, categorize and secure evidence from any form of corrupted/modified digital data . Further, they validate the evidence to guarantee acceptability in court. Overall, they detect the original content from collected data through advanced and reliable techniques.
Next, we can see that some classification of digital forensics. It helps you to find the important purposes of a digital forensics investigation. Our experts have more than enough skills in handling the following scenarios. Additionally, we also support you in other major use-cases of the digital forensics field .
We hope, you understand the special purpose of digital forensics from the above classifications. In addition, we have bulletined the two primary steps involved in digital forensics.
In the above section, we have already discussed the aim of digital forensics. Now, we can see that the list of objectives in digital forensics is based on research perspectives. The scholars who wish to do research on forensic related projects are intended to achieve the following objectives through advanced technologies. Our resource team will definitely guide you in formulating novel digital forensics thesis ideas.
For more simplicity, here we have given you the lifecycle of digital forensics in terms of data collection, data analysis, and evidence acquirements with their processes . These are lifecycle classifications that are common for all digital forensic projects. In the case of requirements, more steps will be included for improvement. We are ready to assist you in all types of forensics applications regardless of complexity.
Our resource team is well-practiced in both real-time and non-real-time applications to support you in every aspect of research and development. Our primary motive is to give you up-to-date Digital Forensics Thesis Ideas . So, we regularly collect the latest research issues by referring to several online and offline research materials. From our current collection, here we have listed a few ongoing research challenges of digital forensic .
Furthermore, we have also listed the list of future research directions of the digital forensics field . Since today’s research areas will be tomorrow’s research foundations. We assure you all these below specified research notions have long-lasting future scope for further studies. For more details on both current and future generation research on digital forensics, communicate with our team.
In addition, we have itemized the significant methodologies involved in both forensic and anti-forensic studies . All these methodologies are considered as best result-yielding techniques based on our experience. More than these methodologies, we also support you in other growing technologies of digital forensics. Now, we are currently working on hybrid technologies to elevate the research worth to the next level for our handhold scholars.
For the benefit of active scholars, here we have listed the top 5 innovative Digital Forensics Thesis Ideas. This helps you to identify the current research directions of the forensic field in a digital society.
Moreover, we also included the latest digital forensics research topics from top-demanding research areas of the digital forensic field. If you are looking for innovative digital forensic project topics from your interested area then approach us. We will let you know about upcoming improvements.
Once you select the research topic with appropriate solutions, the next vital step is development tool selection. For the digital forensic field, there are numerous commercial and non-commercial tools have developed. Now, we are going to see about a few widely used tools and technologies among them. Since forensic analysis is a challenging task to perform in a real environment. So, it is essential to choose the apt implementation tool for evidence collection, mitigation, and investigation.
Digital forensics plays a vital role in proving and disproving the digital evidence of cyber-crime. Here, we have given you a list of popular digital forensic tools with their supporting platforms and purposes.
For your digital forensic project, we can support installation and execution steps. The installation steps for the python programming language are mentioned below.
LibForensics
Next, we can see about the other research ideas that are waiting to create an incredibly positive impact on digital forensics. These ideas surely make stand one step forward among your competitors. Just for your references here, we have given only a few and beyond these ideas, we have an abundant amount of innovations based on new developments.
Forensics in Cyber System
Overall, we ensure that we provide fine-tuned services at every stage of your research journey. We have guided numerous research scholars in crafting innovative digital forensics thesis ideas. Once you make a bond with us, we will take whole responsibilities of your research and assist you from interested area identification to empirical result investigation . In other words, we will be with you throughout the whole journey of research.
Unite your digital forensics solutions and teams across your entire workflow for faster investigations.
Check out the latest resources and thought leadership for all resources.
Enterprise resources.
Check out the latest resources and thought leadership for enterprises and corporate digital investigations.
Check out the latest resources and thought leadership for public safety.
Check out the latest resources and thought leadership for forensic service providers.
Check out the latest resources and thought leadership for federal agencies and government.
Check out the latest resources and thought leadership for military, defense, and intelligence.
Digital forensics tools have improved a lot in the past several years. With these advances, the digital forensics community now has many tool options for each phase of an investigation.
In fact, there can be a lot of options to keep track of.
That’s why we wanted to bring together the ultimate guide to DFIR tools—highlighting options available to examiners and the best time to use them.
The advancements in digital forensic tools over the years have largely been driven by two things to meet evolving investigation needs: competition between more forensic software developers and the maturation of the digital forensics open source and research communities.
When it comes to the rise in competition between software providers, IDC has created a few in-depth reports comparing digital forensic tools for both private-sector cyber security professionals and public-sector digital investigators. Their recent MarketScape report found Magnet Forensics to have the highest capabilities of any digital forensic tool.
As for the maturation of the digital forensics research community, conferences like the Digital Forensics Research Workshop , the the Scientific Working Group on Digital Evidence (SWGDE) , and the Magnet User Summit have been great opportunities for the community to get together and share knowledge and pain points. Companies like Magnet Forensics support these communities with resources and data sets and provide an easy way for the community to capture, re-use, and share new artifact knowledge. Instead of gatekeeping, software companies working with the digital forensics community have led to rapid advancement in all types of digital forensic tools. Whether closed or open-source, free or paid, we’re bringing you a comprehensive list of digital forensic tools to help you kit out a digital forensic laboratory of any size.
This guide will focus on the tools needed to build a functioning general-purpose laboratory in
Typically, a digital forensics laboratory will have several digital forensics tools that do the same task. For example, several overlapping tools allow the laboratory to validate investigation results (see Josh Brunty’s guide and SWGDE validation guidelines ).
Whatever tooling you choose, ensure that you can get the same results using different methods. If you can’t, you must be able to explain why you can’t. Validation may mean manual parsing, conducting research, and reaching out to the forensics community .
When choosing digital forensics tools for your toolkit, think about each part of your investigation workflow and the tasks that normally need to be completed. Comprehensive digital investigation toolkits support the most common investigation tasks. These toolkits can often include third-party or user-created artifacts or modules . Custom artifacts let a lab quickly develop parsers for newly observed sources of evidence, regardless of the underlying software tool. It’s worth learning how to write custom artifacts for your preferred toolkits.
Free, open-source forensics software tools are excellent for validating results. But outfitting an entire lab with free software can lead to a patchwork of tools that don’t always work together. Sometimes, this can make for complex and inefficient workflows and reduce your time to evidence. It’s recommended that a professional lab have at least one fully comprehensive software solution, like Magnet One , to work quickly through cases with a minimum of downtime. Using tools that are well-recognized by courts will also save time, and smooth testimony at trial.
The following digital forensic tool lists are categorized using the first Digital Forensic Research Workshop investigative process for digital forensic science. Although proposed in 2001, the procedural concept is holding up surprisingly well. Let’s look at digital forensic tools and where they fit in identification, preservation, collection, examination, and analysis.
This is probably the most challenging part of any investigation. Before we can respond to an incident, we must detect it. Reporting could come from victims opening a case, a financial audit or an admin checking their logs.
In criminal investigations, cases are typically reported to law enforcement. For private organizations, however, incident detection is critical. Passive measures like honeypots and canary tokens can greatly assist in alerting an organization to a compromise, while a tool like Magnet Axiom Cyber helps with threat-hunting Windows event log analysis and incident response tasks.
Increasingly, users identify security incidents from threatening messages on the screen. Ransomware encrypts user files and demands payment for the decryption key. If you or your organization have been a victim of ransomware, find information and tools from Magnet Axiom Cyber . Continue with your incident response plan and make copies of all data. To learn more about ransomware, see this excellent talk by Cindy Murphy. For an in-depth report on global threats, see the CrowdStrike 2024 Global Threat Report .
Tools to assist in incident identification are either used pre- or post-incident. Pre-incident monitoring often results in more data and higher fidelity. Post-incident analysis requires much more challenging event reconstruction, often with limited data. Corporate environments have control of their systems and may enable pre-incident monitoring with additional logging and detection systems. Law Enforcement, however, almost always deals with post-incident default (or disabled) logging and anti-forensics.
Magnet Axiom Cyber is the industry leader in pre-incident monitoring and post-incident acquisition. It allows you to recover deleted data and investigate digital evidence from mobile, computer, cloud, and vehicle sources all in one case file with powerful analytics.
Unfortunately, an incident has been identified, and you now need to create a case, start documentation, and preserve any related data.
Most comprehensive digital investigation toolkits require creating a “case” in the software before adding exhibits. Case management within your primary analysis tool may be possible. However, consider overall lab management and collaboration. An organization-wide case management system will provide better visibility and coordination.
Regardless of where case management tools are placed, ensure your investigators can easily document their processes and are supported in writing comprehensive reports. This support implies access to a knowledge base of commonly used legislation, definitions, references, and procedures.
Case management, documentation, and reporting requirements have advanced beyond an MS Word document. Here are tools to assist in the quality and security of investigation communications.
Magnet ONE is the gold standard tool here; improve efficiency and breakit improves efficiency and breaks down silos by enabling stakeholders agency-wide to manage, collaborate, analyze, and report on all aspects of your digital investigations.
Help first responders collect evidence from witnesses on-scene without asking them to give up their devices with Magnet Shield .
Forensic imaging is both common and important in digital forensic investigations. But imaging is not easy. Resources like Practical Forensic Imaging are great for understanding the imaging process and challenges.
Hardware write-blockers are highly reliable devices and typically only fail when misconfigured. Some write blockers allow you to disable write-block functions and use the device as a read/write hardware bridge. Be sure to include usage training and testing when adding hardware write blockers to your toolkit. It is crucial to have a standard testing methodology that your local court accepts and regularly test your
Most Linux-based forensic operating systems include software (kernel-level) write-blocking. There are several commercial write blockers for Windows, but they tend to be more expensive than hardware write blockers. If you choose a software write-blocker, ensure a testing and validation procedure is in place.
Hardware and software write blockers need to be paired with imaging software. Hardware disk imagers have disk imaging software built-in; some external write blocker devices do not. Correct imaging is critical in any investigation, and the community is lucky to have such solid tools available for free.
Magnet Acquire is the best tool for physical and logical disk imaging as well as mobile device imaging. It allows investigators to quickly and easily acquire forensic images of any iOS or Android device, hard drive, and removable media. Best of all it is completely free.
With disk acquisition, be aware of how the acquisition software treats bad clusters. For example, some software may write 0’s where disk read fails. Others may skip and not write anything to the image. Imaging error response can lead to two different images from the same failing disk. Configure your imaging software to respond to errors according to your lab’s SOP. Unfortunately, imaging software often does not allow error configurations and may not document their read failure procedure. In that case, you will need to test responses from different software and choose those that fit your lab the best.
Like disk imaging, laboratories should acquire RAM acquisitions from case-related systems. Random Access Memory (RAM) contains information about the system and user activities since the last time the computer was shut down. This might include information that will never be written to disk. As such, it can be a valuable source of evidence for investigators.
RAM is volatile, meaning that it changes quickly. If a computer or device is shut down, all data in RAM is cleared and cannot easily be recovered. First responders need the tools and training to collect a RAM image from a live environment. Live Data Forensics is not easy and should only be done by those competent to do so.
Magnet DumpIt for Windows is a free, fast memory acquisition tool for Windows (x86, x64, ARM64). This software, created by Comae Technologies, does not require a pre installed agent. Machine states can be collected via DumpIt and its PowerShell interface to provide your organization with more flexibility. It generates full memory Microsoft crash dumps on the fly without having to trigger a Blue Screen of Death (BSOD).
Magnet Response is a free and easy-to-use solution to quickly collect and preserve data from local endpoints before it is potentially modified or lost. A pre-set collection profile gives you the ability to target a comprehensive set of files and data relevant to incident response investigations, including RAM. Key features:
Remember that RAM acquisition is complicated. You will need to load the tool into memory to acquire memory. As forensic examiners, we want to reduce the size of forensic tools in memory so we don’t overwrite valuable evidence. Also, if the system is on, the RAM contents are changing. Imaging the same RAM twice will never result in the same image (and hash value). Hash the RAM image after the acquisition, that hash becomes your ground truth.
Just like computer forensics, mobile forensics is split into acquisition and analysis. Recently, more analysis toolkits have included processing data from mobile devices. Acquisition, however, remains a significant challenge. Newer mobile devices are often secure, requiring advanced technologies such as Magnet GrayKey to acquire data from them.
Older devices often have publicly released vulnerabilities and utilities to bypass disk protection. Commercial tools, while more user-friendly with extensive interfaces and resources, often include non-publicly released exploits for newer devices. In addition, tools like Magnet GrayKey provide much more complete data extraction from supported devices. Extracting a full file system contains significantly more information than a logical extraction.
Magnet Acquire allows mobile device acquisition for both iOS and Android.
Collection, examination, and analysis are theoretically separate concepts in the DFRWS process model, but multi-function digital forensics tools tend to cover some aspects of each. Multi-function tools help an investigator understand the data and its relation to the investigation question. From there, we tend to dig deeper into specific artifacts or even pivot to other more specialized tools for analysis.
We have our forensically sound acquisitions of all case-related devices. Most full-featured digital forensic tools will ask to create a case in the tool’s management system. All exhibits and data sources are typically added under a single case. Grouping exhibits by case keeps everything together, but tools like Magnet Axiom and Magnet Axiom Cyber can find similarities between data sources such as files, usernames, phone numbers, etc.
The following tools are the gold standard investigation tools used worldwide:
Handling mobile data structures is challenging due to their complexity and the varying formats employed by different manufacturers. Additionally, the rapidly evolving changes in the mobile environment, such as frequent OS updates and new security features, constantly require forensic experts to adapt and update their methods and tools.
Some of the full-featured tools listed previously have built-in mobile data analysis capability. Sometimes integration for mobile analysis feels like an add-on rather than the main investigation point. That’s useful for basic searching and analysis, but needing more in-depth functionality is common. The following tools appear to put mobile device data analysis first, including the challenges that come with it.
When looking for a mobile analysis tool, consider whether the tool can parse common as well as trending data structures, an ability to customize or get support for case-specific data structures, and how easily (and comprehensively) the tool allows you to search and visualize the data. With mobile data analysis, you’re looking for updates more often than with computer analysis.
eDiscovery solutions focus more on litigation and discovery workflows. They have feature sets that are often useful for any digital forensic investigation. It is common to see eDiscovery software used with comprehensive toolkits described above. The scope of eDiscovery can vary, and the tools required will as well. We’ve talked about the anatomy of an eDiscovery investigation before. You’ll need a tool that helps with data collection, reduction, and review.
Magnet Axiom Cyber allows for covert remote device acquisition, data reduction with keywords, hash lists, and advanced picture and video analysis. After data reduction, Axiom Cyber produces a load file for eDiscovery review platforms.
Modern eDiscovery tools are very powerful and tend to prefer cloud-based systems. Cloud-based systems make processing much faster and allow for advanced automation and machine learning. Each tool will work great for standard workflows. Which one works best for you depends on the data types you tend to work with and your goals. Almost all eDiscovery tools are attempting to use machine learning for classification. The best model for you will be the one that most closely matches your data.
In investigations, it’s increasingly common that some sort of open-source intelligence (OSINT) is necessary. In other words, looking up publicly available information online to help build timelines, corroborate evidence, and sometimes blatantly get a confession.
Magnet Web Page Saver can act as a browser and allows you to take full-page snapshots, including source files, an acquisition report, timestamping, and automatic file hashing. It also accepts a list of URLs to render and acquire automatically. If you ever take screenshots of web pages, this is a must-have.
We’re not quite done! The most valuable piece of your kit is you (and your team). Hardware, software, automation, and artificial intelligence can get you far. Still, a well-trained investigator must put the puzzle together and tell the story. Invest in your investigators.
Similarly, the digital forensics community is relatively small but very active. There are some great resources like This Week in 4n6 , DFIR Training , and About DFIR . Public and private sector experts often share information and resources and answer questions at the DFIR Discord as well as Forensic Focus .
If you are ready to collaborate and share resources with the community, check out Use GitHub to get started in the DFIR Community below.
That about does it for the ultimate guide to DFIR tools in 2024! It’s a fantastic community with a rapid development. No list can do justice to all the great work, but this should be enough to get any digital forensic laboratory started. Check back often to see what’s new. And don’t be afraid to search for specialty tools on GitHub. You never know where you will find the next big break in the case. Keep your options open.
Meet the magnet forensics training team: kelvin goodram.
August 9, 2024 • About a 5 minute view
June 25, 2024 • About a 2 minute view
June 19, 2024 • About a 4 minute view
Subscribe today to hear directly from Magnet Forensics on the latest product updates, industry trends, and company news.
Complete the company & contact information form below and sales will be in touch with you shortly.
To learn more about cookies, which ones we use on our site, and how to change your cookie settings, please view our Privacy Policy*. By continuing to use this site without changing your settings, you consent to our use of cookies in accordance with the Privacy Policy.*
May 22, 2023
Apple has released the Beta version of iOS 16, which is expected to be fully released in September. This release will include new messaging features, including editing, recall and recovery capabilities for messages sent between Apple devices. Our Digital Forensics & Investigations practice has been closely following and regularly testing iOS releases so as to explore potential investigations issues, challenges and opportunities. The new messaging capabilities are particularly interesting in the current Beta release because they carry a number of implications from a digital forensics perspective.
For legal teams and organizations that are routinely monitoring and/or collecting from iOS devices for investigations and litigations, it’s critical to understand how the new messaging capabilities in this Beta version may impact the ability to preserve and recover evidence in the future.
Most notably, the Beta version of iOS 16 implements a “Recently Deleted” folder, which enables users to recover messages deleted within a 30-day period. This involves a “soft delete” function wherein deleted messages are moved to the Recently Deleted folder for 30 days before being permanently removed from the device. Essentially, messages are left behind on the device for a period of 30 days. Given the difficulties of recovering deleted messages in earlier iOS versions, which were set up to permanently remove nearly all traces of deleted content immediately, this new feature could be a boon for investigators who know where to look and how to uncover these artifacts.
In addition to examining the implications of this new “soft delete” function (i.e., when a user deletes a message but the message is automatically moved to the Recently Deleted folder rather than immediately removed from the device), our team conducted extensive testing on the changes to the messaging capabilities in iOS 16, using a suite of forensic tools. Our key findings include:
An important consideration with these changes is that they are consistent with the increasing prevalence of modify, delete, mask and recover functions in messaging applications. The proliferation of ephemeral messaging tools have made it difficult for investigators to follow the trail of evidence in many matters. Some of these changes within iOS 16 (such as message editing and recall) will follow that trend. However, digital forensics experts who know where to look and what to look for will be able to leverage the soft delete feature and records of other message changes to uncover artifacts that will help paint a picture of what was happening on a device and when.
Our team will continue testing iOS 16 in Beta, as well as the features that are ultimately released when the full version launches.
Kevin Leung
Senior Director
Matt Witchey
Megan Danilek
Despite its made-for-TV elements, the Karen Read trial featured an array of critical evidence from cellphones and computers that turned out not to be as clear or convincing as the kind often featured on “Law & Order,” “CSI,” and other popular crime series.
Inconsistencies in phone call records ; a confusing time stamp on a Google search to learn how long it would take for a person to die in the cold; health data that showed a person descending a stairway — or maybe in a car.
While some forensic work is well established, such as DNA evidence, other technologies aren’t quite as grounded, as the Read trial showed. In particular, the field of digital forensics continues to evolve, shaped by court challenges and advancing technology. So, questions around the validity of that data have become the latest frontier in what legal observers call the “battle of experts”: dueling interpretations of an unsettled science.
Advertisement
And, with enough legal prowess — and financial resources — defendants can line up parades of experts to try to undermine a prosecution witness’s interpretation of forensic data, from the timing of a Google search to the movement of a human body.
“As technology advances at such a rapid pace, the things that we used to think were black and white aren’t black and white anymore,” said Christina Miller, a professor at Suffolk Law who previously focused on cases that involved digital forensics as a Suffolk County prosecutor.
She noted two recent Massachusetts Supreme Judicial Court rulings that each upheld decisions to disallow certain data from being used as evidence because of questions about their accuracy: In 2021, the courts disallowed the calculation of a defendant’s speed by a GPS device, and earlier this year, the courts prevented evidence of a defendant’s cellphone location history from being introduced in a criminal trial.
In the latter case, the analysts for the prosecution had used a different version of an iPhone’s operating system as they sought to replicate the data. That underlined one of Miller’s main points: “The forensic examiner is only as good as the tools they use, and the tools are only as good as the data.”
Expect to see more court challenges, she said.
Michael Kendall, a former federal prosecutor who’s now a defense attorney, added that judges have to be “much more demanding” in determining the validity and credibility of someone claiming to be an expert — as well as what science and processes are rigorous enough to constitute presentable evidence.
“There has been so much phony scientific evidence that has railroaded people over the years,” he said. “There has to be some validation of the expert. The court needs to police the quality of the experts and the quality of the science.”
The reliability of certain digital forensic data varies with the nature of the technology at issue. Programs were developed to complete specific functions, not, for example, to serve as an official time-stamped record of events that could constitute irrefutable evidence, said Seth P. Berman, a defense attorney and former prosecutor. So, while emails, Google searches, or phone calls may include a time stamp, that doesn’t mean the time stamp itself is accurate.
“This entire field of computer forensics is essentially an accident,” said Berman, who leads the privacy and data security practice group at law firm Nutter and previously worked for a firm that specialized in digital forensics. “Nobody created computers with the goal of using them to create evidence.”
So, he added, “As a result, the data is not that clear. There are a bunch of things that just go wrong,” and can lead to different expert interpretations.
Take, for example, the Read case. She was charged with backing into her boyfriend, Boston police Officer John O’Keefe, with her Lexus SUV after a night of heavy drinking in 2022 and leaving him to die outside the Canton home of a fellow Boston police officer during a blizzard. Her defense team claims she is being framed, and that O’Keefe was actually beaten by people who had been attending a gathering inside the home, and then dumped outside. Read found O’Keefe’s body hours later in a snowbank, after returning to look for him.
The case ended in a mistrial in July, and a new trial is slated for January.
At the core of the defense’s theory is the timing of a Google search for “hos [sic] long to die in cold” by Jen McCabe, a woman who was at the gathering inside the Canton home. According to an expert hired by the defense, data show she Googled the inquiry on her phone at 2:27 a.m., hours before O’Keefe’s body was found. Many among the crowds of Read supporters who gathered regularly outside the courthouse cited the testimony as a crucial indicator of her innocence.
But prosecution experts said the testimony was wrong and that the search occurred after Read and McCabe found O’Keefe’s body shortly after 6 a.m. The discrepancy, prosecution witnesses said, stemmed from confusion around what the time stamp was referring to; they said the 2:27 a.m. stamp simply referred to when the web page that was later used for the search was first opened.
There were similarly differing claims over other evidence: calls that were deleted from the phone, or not; how fast Read’s car accelerated while in reverse; O’Keefe’s movements, based on data from his phone and watch.
Read’s team of lawyers mounted an aggressive defense, sharply cross-examining most of the government witnesses and also producing some of their own.
A judge declared a mistrial after the jury reported it was deadlocked and could not reach a verdict. Read maintains her innocence.
Berman noted that most defendants don’t have the financial means of Read, a financial analyst and adjunct professor who also benefited from the donations of ardent supporters. A defense effort that had less time, labor force, and money likely would not have been able to push back so forcefully on inconsistencies in the data, he said.
Ultimately, judges are the arbiters in determining the credibility of an expert witness or the validity of a science, guided by appeals court decisions, including precedents set by the US Supreme Court. The goal is to “winnow science from junk science,” said Rosanna Cavallaro, a Suffolk Law professor who teaches about evidence. But that can be difficult, she said, as new technologies and expertise in those technologies evolve.
Cavallaro also said a “battle of experts” can be detrimental to a case when the process devolves into each side simply hunting for the most favorable expert they can find — someone who not only will come to the conclusion they seek, but who will communicate it engagingly and effectively.
At times, she said, “you do become concerned that the person’s opinion is up for sale. The problem has been pervasive across the sciences.”
Sean Cotter can be reached at [email protected] . Follow him @cotterreporter .
COMMENTS
PhD Thesis Alleviating the Digital Forensic Backlog: A Methodology for Automated Digital Evidence Processing Xiaoyu Du A thesis submitted in ful lment of the degree of
First, this thesis looks into the existing practices in the DF community for carrying out digital investigations and more importantly the precise steps taken for setting up the
Digital forensics has become a predominant field in recent times and courts have had to deal ... This thesis addresses issues regarding digital forensics frameworks, methods, methodologies and standards for acquiring digital evidence using the grounded theory approach. Data was
This thesis reviews the existing security models and digital forensics, paying particular attention to anti-forensic activity that affects the validity of data collected in the form of digital evidence.
This thesis addresses issues regarding digital forensics frameworks, methods, methodologies and standards for acquiring digital evidence using the grounded theory approach. Data was gathered using literature surveys, questionnaires and interviews electronically.
The designed framework aims to minimise hazardous practices that lead to negative consequences and to effectively align the new technologies in digital forensics with human expertise for improved results during the phase of digital evidence acquisition.
The UEL Research Repository preserves and disseminates open access publications, research data, and theses created by members of the University of East London. It exists as an online publication platform that offers free permanent access to anyone. For more information about the repository and how to deposit your research contact: [email protected]
The authors identified six categories for digital forensics research: Evidence Modeling, Network Forensics, Data Volume, Live Acquisition, Media Types, and Control Systems. This taxonomy is useful, but believe that the tactical analysis must be accompanied by strategic thinking.
aspects of digital forensics investigations, their daily investigative activities involved a limited use of this technique. The implications of the study were outlined, and emphasised the need to design a digital forensics investigation model that provides guiding steps and illustrations on how to utilise BA in digital forensics investigations.
A digital forensics framework, also known as a digital foren-sics process model, is a sequence of steps that, along with the corresponding inputs, outputs and requirements, aim to sup-port a successful forensics investigation [150], [151].
In this thesis, a framework for the validation of network artifacts in digital forensics investigations is presented. The main hypothesis of this thesis is that the validity of network artifacts can be determined based on stochastic and probabilistic modeling of internal consistency of artifacts.
This thesis aims to investigate the hypothesis that bespoke password candi-date lists, generated based on available contextual information, can positively impact ... The aim of the proposed approach is to support digital forensic investiga-tors in their criminal investigation - especially when time is of the essence. This ap-
Methods and Factors Affecting Digital Forensic Case Management, Allocation and Completion by Ibtesam Mohammed Alawadhi A thesis submitted in partial fulfilment for the requirements for the degree of Doctor
In this thesis, the benefits of using digital forensic software for born-digital preservation are explored, as well as the risk to collections should data remain unprocessed via the suggested methods.
Microsoft Word - Snyder_Thesis_Spring2021.docx. THE DEVELOPMENT OF CURRENT DIGITAL FORENSICS. POLICIES AND FEDERAL LEGISLATION. by. KATHERINE VREELAND SNYDER. B.S, Rochester Institute of Technology, 2017. A thesis submitted to the. Faculty of the Graduate School of the. University of Colorado in partial fulfillment.
A meta-forensic approach is an approach intended to stop attempts to invalidate digital forensic evidence. This thesis proposes a formal procedure and guides forensic examiners to look at evidence in a meta-forensic way. This thesis was submitted for the degree of Doctor of Philosophy and awarded by Brunel University.
This problem of practice study details a cognitive skills assessment of the digital forensic analyst profession by leveraging two Cognitive Task Analysis (CTA) research methods. The Simplified Precursor, Action, Result, Interpretation (PARI) method provided a framework for eliciting procedural skills, and the Critical Decision Method (CDM) supported the discovery of decision-making skills ...
List of dissertations / theses on the topic 'Digital Forensic investigations'. Scholarly publications with full text pdf download. Related research topic ideas.
All digital forensics examiners should be properly trained in the field of digital forensics. All physical evidence should be inspected for proper working condition and documented.
Recent Dissertation Topics in Forensic Science. This article serves as a compass, guiding readers through a diverse array of recent dissertation topics that encapsulate the multifaceted nature of forensic research. From digital forensics to forensic psychology, the chosen dissertation topics reflect the evolving challenges and advancements in ...
Earn your master's in digital forensics, and gain the knowledge and skills required to protect technology against complex cybersecurity threats.
Dear Albert, As part of the issues of cybersecurity and digital forensics, I propose the following topic for the thesis: Analysis of the impact of the increase in the development of e-commerce, e ...
Digital Forensics Thesis Ideas 'Digital forensics' represents the collection of digital investigation techniques used for crime-based applications. It is a sophisticated platform to analyze evidence in digital format for legal issues.
We wanted to bring together the ultimate guide to digital forensics tools - highlighting options available to examiners and when to use them.
Did a crime happen? Is there digital evidence? Digital forensics is a forensic science that helps investigators study cybercrimes. Learn more here.
Our Digital Forensics & Investigations practice has been regularly testing iOS releases to explore potential investigations issues and opportunities.
While some forensic work is well established, such as DNA evidence, the Read trial showed other technologies aren't quite as grounded.
The reliability of certain digital forensic data varies with the nature of the technology at issue. Programs were developed to complete specific functions, not, for example, to serve as an ...