You are holding in your hand a copy of the Digital Forensics textbook written by faculty, associates, and former students of the Norwegian Information Security Laboratory (NISlab) at the Norwegian University of Science and Technology (NTNU). Some of the authors of this textbook have themselves studied digital forensics at NISlab. The textbook is based on teaching material, academic research, experiences, and student feedback over almost ten years of teaching digital forensics, and it represents our common philosophy of how digital forensics should be learned.

Digital forensics is a unique field of research, in that new information technology and new ways of exploiting information technology are introduced at an astonishing rate. Both researchers and practitioners regularly face new technical challenges, forcing them to continuously develop their inquisitive and creative abilities. While digital forensics requires a strict adherence to process and procedures, it is the creative abilities that will make one excel in this area.

This textbook starts with an introduction of forensic sciences that establishes the foundation for understanding the more specific area of digital forensics (Chapter 1). We introduce the fundamental principles of digital forensics, evidence dynamics, and chain of custody, followed by the digital forensics process, introduced by Anders O. Flaglien in Chapter 2. The introductory chapters introduce the main building blocks of any digital investigation, and these serve as a common thread through all the chapters in this textbook.

With the forensic principles and process in mind, Inger Marie Sunde, a Professor of law, takes us through a deep dive into the legal aspects of cybercrime and digital evidence, supported by a range of international examples and legal provisions. Chapter 3 serves as a comprehensive overview of the areas that will benefit technical, legal, and tactical professionals alike.

Further building upon the digital forensics process and the legal framework, Ausra Dilijonaite introduces us to the area of digital forensic readiness in Chapter 4. While we are often left with the impression that investigations depend on ingenious and heroic efforts after the fact, we intuitively understand that the key to successful investigations is the readiness of people, processes, and tools. Ausra builds the case for planning and preparations as a key success factor for digital forensics.

The three technical chapters in this textbook are written by digital forensics practitioners – Jeff Hamm, Jens-Petter Sandvik, and Petter Christian Bjelland. They discuss in detail how to handle evidence in computer systems (Chapter 5), in embedded and mobile devices (Chapter 6), and on the Internet (Chapter 7). The chapters leverage the forensic process and share a common format. However, the evidence dynamics and the technical expertise required for the three areas are quite different.

Following the technical chapters, we provide an overview of research topics and open research questions within the field of digital forensics, supported by examples from research at NTNU. The purpose of Chapter 8 is to provide inspiration for further research for the readers of the textbook.

In the final chapter (Chapter 9), Stefan Axelsson provides advice and “lessons learned” to the educators and students using this textbook. Stefan is currently teaching digital forensics using an early version of this textbook as the curriculum, and he has played an important role in ensuring that the textbook is suitable for educational use. As inspiration to future studies and research, his chapter provides references to the main conferences, journals, and training programs in the field of digital forensics.

We would like to thank the chapter authors for their dedicated and collaborative efforts over more than one year of writing, proofreading, and editing, as well as the proofreaders Carl Leichter, Tyler Maldonado, Svein Johan Knapskog, and Arlene Marie Pearce for their contributions to this book. The Digital Forensics classes of 2015 and 2016 also provided important feedback and guidance with regard to the scope of the book.

We are grateful for the support from our publisher, John Wiley & Sons, Inc., who chose to believe in our proposal and who has provided valuable support over the course of one year. We are further grateful for the financial support provided by the Norwegian Information Security Laboratory at NTNU, the Centre for Cyber and Information Security (CCIS), the Testimon Forensic Group, the Norwegian Police Directorate, and the Norwegian Research Council toward this work.

Finally, on behalf of the authors, we would like to thank our loved ones, family, and friends for their support and for bearing with us during the preparation of this textbook.

Good luck with learning Digital Forensics!

André Årnes and Katrin Franke

Testimon Forensic Group

Norwegian Information Security Laboratory

Norwegian University of Science and Technology

Norway, September 2016

This textbook has been written as a collaborative project with contributions from academic, law enforcement, and industry experts in the field.

André Årnes, PhD, Siv.ing. (MSc) – Oslo, Norway

Associate Professor, Testimon Forensic Laboratory, Norwegian University of Science and Technology (NTNU); and Senior Vice President and Chief Security Officer, Telenor Group, Oslo, Norway

• Telenor, 2010–current: currently Senior Vice President and Chief Security Officer (from 2015)
• National Criminal Investigation Service (Kripos), 2003–2007: Special Investigator within computer crime and digital forensics
• PhD and MSc in information security from NTNU; visiting researcher at University of California, Santa Barbara, USA, and Queens's University, Canada
• GIAC Certified Forensic Analyst (GCFA), IEEE Senior Member, and member of the Europol Cyber Crime Centre (EC3) Advisory Group for communications providers.

Stefan Axelsson, PhD, MSc – Gothenburg, Sweden

Associate Professor, Norwegian Information Security Laboratory (NISlab), Norwegian University of Science and Technology (NTNU), Gjøvik, Norway

• Blekinge Institute of Technology, 2007–present: Associate Professor
• Research in computer security since 1996
• Worked in telecoms industry seven years with security and forensics
• Research cited more than 2000 times
• Program committee member of DFRWS and IFIP WG 11.9.

Petter Christian Bjelland, MSc – Oslo, Norway

Manager, Fraud Investigation & Dispute Services, Ernst & Young AS

• Advisor, National Criminal Investigation Service (NCIS Norway/Kripos), 2015-2016 Norwegian Defense, 2011–2015: Senior Software Engineer
• MSc in Digital Forensics from Gjøvik University College, 2014
• Peer-reviewed paper at DFRWS Europa 2014 and in Elsevier Digital Investigation.

Ausra Dilijonaite, MSc – Oslo, Norway

Manager, Cyber Risk Services, Deloitte AS

• MSc in Digital Forensics from Gjøvik University College, with a thesis on Forensic Readiness in Digital Forensics
• Deloitte AS, Cyber Security Services, 2016–current: roles include Manager and Senior Consultant
• Mnemonic AS, Governance, Risk Management and Compliance, Managed Security Services, 2011–2016: roles include Senior Security Consultant and Consultant-Analyst
• Ernst & Young Baltics UAB, Technology Risk Security Services, IT Risk Advisory, 2007–2010: roles include Senior Consultant and Consultant
• Various professional certifications, including CISA, ISMS (ISO 27001) auditor/lead auditor, and RSA Certified Security Professional.

Anders Orsten Flaglien, MSc – Oslo, Norway

Security Architect, Central Bank of Norway

• Central Bank of Norway, 2016–current: Security Architect
• Accenture, 2010–2016: Security Consultant
• Gjøvik University College, 2012–2015: Teaching Coordinator in Digital Forensics
• Best Master Thesis award (2010), and papers in peer-reviewed publications
• CISSP Certified.

Katrin Franke, PhD, MSc – Gjøvik, Norway

Professor, Head of Testimon Forensics Group, Norwegian University of Science and Technology (NTNU)

• PhD in Artificial Intelligence, University of Groningen, The Netherlands; and MSc in Electrical Engineering, Technical University Dresden, Germany
• Fraunhofer Society, Germany, 1994–2006: Researcher, then Scientific Project Manager
• Joined the Norwegian Information Security Lab in 2007; mission to establish research and education in digital and computational forensics
• 20+ years of experience in basic and applied research, working closely with financial services and law enforcement agencies in Europe, North America, and Asia
• Founding member and first chair of the TC6 on Computational Forensics under the auspice of the International Organization of Pattern Recognition (IAPR)
• IAPR Young Investigator Awardee in the year 2009 for contributions on computational forensics.

Jeff Hamm, A.S. Criminal Justice – Mainz, Germany

Manager of Consulting Services, Mandiant, a FireEye company

• Mandiant, 2010–current: Manager of Consulting Services in digital forensics and incident response
• NTNU, 2011–current: Adjunct Lecturer in Digital Forensics
• Paradigm Solutions, 2008–2010: Senior Forensic Computer Analyst
• Oakland County Sheriff's Office, Michigan, USA, 1997–2008: Sergeant.
• GCFE (current) and GCFA, and EnCE (expired).

Jens-Petter Sandvik, Cand.scient. – Oslo, Norway

Senior Engineer in Digital Forensics, National Criminal Investigation Service (Kripos)

• NTNU, 2017-current: PhD student in Digital Forensics for IoT
• Norwegian Criminal Investigation Service, 2006–current: Senior Engineer in Digital Forensics
• Malware Detection, Norman ASA, 2001–2005: Software Developer
• Cand.scient., University of Oslo, 2005.

Inger Marie Sunde, PhD, LL.M, Cand.jur. – Oslo, Norway

Professor, Norwegian Police University College

• Norwegian Parliamentary Intelligence Oversight Committee: Member
• Økokrim, 1994–2005: Head of Police Computer Crime Center and Senior Public Prosecutor
• Studied at Harvard, University of Oslo, and Norwegian Defense University College
• Author of several books and academic papers.

1. Figure 2.1 The digital forensics process
2. Figure 2.2 The digital forensics process: identification
3. Figure 2.3 Example website directed to from a fraudulent email
4. Figure 2.4 Example crime scene with multiple digital devices
5. Figure 2.5 The digital forensics process: collection phase
6. Figure 2.6 A disc from an opened broken hard drive
7. Figure 2.7 CPU with potential cached data
8. Figure 2.8 A smartphone has been disassembled to gain access to memory chips with digital evidence
9. Figure 2.9 Computers and systems are connected to the Internet
10. Figure 2.10 An example of seized electronic storage and computing devices to be examined and analyzed
11. Figure 2.11 The digital forensics process: examination
12. Figure 2.12 Illustration of a partially broken image file
13. Figure 2.13 Illustration of filtering using known good file datasets
14. Figure 2.14 A music DVD, which may contain more data than music videos
15. Figure 2.15 File carving with database read and search in a digital device for relevant files
16. Figure 2.16 The digital forensics process: analysis
17. Figure 2.17 Image as seen by users, by the operating system, and in hardware
18. Figure 2.18 Example timeline from file system forensics in autopsy
19. Figure 2.19 Graphical representation of connected entities in digital evidence with Maltego
20. Figure 2.20 The digital forensics process: presentation
21. Figure 2.21 Example report generated by Autopsy
22. Figure 5.1 Hardware write blockers in a “flyaway” kit
23. Figure 5.2 E01 example
24. Figure 5.3 Various disk drives (image courtesy Wikipedia, 2015)
25. Figure 5.4 Logical drive structure
26. Figure 5.5 Example diagram of partitions on an MBR disk
27. Figure 5.6 Example diagram of extended partitions on an MBR disk
28. Figure 5.7 One full sector and 512 bytes displayed in ASCII and Hex
29. Figure 5.8 Conceptual volume with clusters and sectors
30. Figure 5.9 Byte offset
31. Figure 5.10 MBR and the first six file records abstract on an MFT
32. Figure 5.11 MFT file record
33. Figure 5.12 MFT and attributes
34. Figure 5.13 The MFT record header and attributes required to track a file object
35. Figure 5.14 Example of an alternate data stream
36. Figure 5.15 Orphan file, part 1
37. Figure 5.16 Orphan file, part 2
38. Figure 5.17 Example of a timeline for a single system
39. Figure 6.1 Embedded systems and consumer electronics from daily life
40. Figure 6.2 A map plotter for maritime use, and a car multimedia system with a GPS
41. Figure 6.3 Structural architecture of a GSM network
42. Figure 6.4 Structural architecture of a UMTS network
43. Figure 6.5 EPS structural architecture
44. Figure 6.6 Comparison between a chip-off method and manual inspection
45. Figure 6.7 Warning sign for ESD-susceptible devices
46. Figure 6.8 Main components of a generic embedded system
47. Figure 6.9 A USB memory stick with 4 TSOP packages at the right side of the picture
48. Figure 6.10 An IR rework station with a phone PCB mounted for desoldering
49. Figure 6.11 A chip that has been grinded using a lapping machine
50. Figure 6.12 A lapping machine
51. Figure 6.13 A reballed BGA package
52. Figure 6.14 A pogo pin socket used for reading memory chips
53. Figure 6.15 Close-up of pogo pins
54. Figure 6.16 Assessment of the chip-off method
55. Figure 6.17 JTAG architecture
56. Figure 6.18 JTAG daisy chain
57. Figure 6.19 Assessment of the JTAG method
58. Figure 6.20 Assessment of the manual inspection method
59. Figure 6.21 Camera setup for documenting a manual inspection
60. Figure 6.22 Assessment of the SIM logical acquisition method
61. Figure 6.23 Assessment of the device backup method
62. Figure 6.24 Assessment of the USB mass storage method
63. Figure 6.25 Assessment of the MTP protocol method
64. Figure 6.26 Assessment of the OBEX method
65. Figure 6.27 The parts of a system using AT commands
66. Figure 6.28 Assessment of the AT command method
67. Figure 6.29 Assessment of the ADB method
68. Figure 6.30 Assessment of the root method
69. Figure 6.31 Assessment of the boot code method
70. Figure 6.32 An ATF box (white) used both for flashing a device and for connecting to JTAG
71. Figure 6.33 Assessment of the flasher box method
72. Figure 6.34 Assessment of the eMMC chip-off method
73. Figure 6.35 Assessment of a commercial forensic product
74. Figure 6.36 A mobile phone with damage from a bullet
75. Figure 6.37 Erase block, pages, and spare area
76. Figure 6.38 File systems on top of an FTL and a flash-aware file system
77. Figure 6.39 Erase block header for the first block in the file system
78. Figure 6.40 Rebuilt FAT file system
79. Figure 6.41 YAFFS2 object header from an Android phone
80. Figure 6.42 Hex dump of a SQLite header
81. Figure 6.43 Leaf table cells
82. Figure 7.1 Connecting multiple autonomous systems and finding the shortest path (icons by Visual Pharm)
83. Figure 7.2 DNS lookup of the domain hig.no (icons by Visual Pharm)
84. Figure 7.3 Email protocols (icons by Visual Pharm)
85. Figure 7.4 Illustration of an Internet connection through a NAT (icons by Visual Pharm)
86. Figure 7.5 Onion routing of a request from Norway to South Africa
87. Figure 7.6 Information in a cached URL
88. Figure 7.7 Communities in networks (icons by Visual Pharm)
89. Figure 7.8 An aggregated timeline (data and visualization by D3)
90. Figure 7.9 Visualization of a 1.5-hop temporal network
91. Figure 7.10 World heat map of where the actors in events are located
92. Figure 7.11 A heat map showing the amount of activity over a year's span

1. Table 2.1 Examples of order of volatility
2. Table 2.2 Some factors that affect information availability
3. Table 4.1 The digital forensic development life cycle
4. Table 5.1 Common hard drive interfaces
5. Table 5.2 Simplified MBR data table
6. Table 5.3 Partition entry
7. Table 5.4 Common partition types
8. Table 5.5 GUID partition table (GPT)
9. Table 5.6 GPT partition entry
10. Table 5.7 Operating systems and their native file systems
11. Table 5.8 Some NTFS artifacts that are not covered herein
12. Table 5.9 NTFS metadata files
13. Table 5.10 File record data
14. Table 5.11 Resident and nonresident attribute headers
15. Table 5.12 Resident attribute header
16. Table 5.13 Nonresident attribute header
17. Table 5.14 NTFS file metadata times
18. Table 5.15 Standard information attributes
19. Table 5.16 Filename attributes
20. Table 5.17 Index root attributes
21. Table 5.18 INDX nodes
22. Table 5.19 Index allocation attributes
23. Table 5.20 NTFS INDX record content
24. Table 5.21 Significant feature differences in EXT file systems
25. Table 5.22 Event log data
26. Table 5.23 Examples of computer forensic suites
27. Table 5.24 Examples of specialized computer forensic tools
28. Table 5.25 Common hashing algorithms
29. Table 6.1 The mobile network generations
30. Table 6.2 Operating systems (OSs) commonly found in mobile phones
31. Table 6.3 Overview of the system view and method view
32. Table 6.4 JTAG signals
33. Table 6.5 Layout of ICCID
34. Table 6.6 Some common AT commands for GSM
35. Table 6.7 eMMC signals
36. Table 6.8 An overview of various acquisition methods
37. Table 6.9 Objects as they are stored in flash (two of the values are compiler specific)
38. Table 6.10 Example of a file being created, written to, edited, and deleted in YAFFS2
39. Table 6.11 SMS_DELIVER PDU fields
40. Table 6.12 SMS_SUBMIT PDU fields
41. Table 6.13 TP_MTI fields (Transport Protocol Message Type Indicator)
42. Table 6.14 TP_VPF (Transport Protocol Validity Period Format)
43. Table 6.15 Type-of-address octet, with one 3-bit type of number, and one 4-bit numbering plan
44. Table 6.16 User Data Header
45. Table 6.17 Information Element used in UDH
46. Table 6.18 Default SMS character set
47. Table 6.19 SQLite file header
48. Table 6.20 Table page header structure in SQLite
49. Table 6.21 Leaf table structure in SQLite
50. Table 6.22 Serial types used in the record format
51. Table 6.23 Payload header and body in the first cell at offset 0x15d in Figure 6.43
52. Table 6.24 Various timestamp formats
53. Table 7.1 IP networks and ranges
54. Table 7.2 DNS record types
55. Table 7.3 Common web server log fields

1. Example 2.1: Email from whom?
2. Example 2.2: First responder mistake
3. Example 2.3: SpyEye bank account fraud
4. Example 2.4: SpyEye online banking fraud
5. Example 2.5: Sony's collaboration with the FBI
6. Example 2.6: Linking entities in a drug-trafficking case
7. Example 3.1: The binding effect of the Cybercrime Convention
8. Example 3.2: The blog case
9. Example 3.3: Computer search “in accordance with the law”
10. Example 3.4: The positive obligation to provide subscriber information
11. Example 3.5: Conditions to be proved in relation to computer intrusion
12. Example 3.6: National implementation of the Cybercrime Convention, article 2
13. Example 3.7: Planned murder or assisted suicide?
14. Example 3.8: Interpretation and analogy
15. Example 3.9: Password intrusion and vulnerability attack
16. Example 3.10: Online bank fraud – articles 2 through 8
17. Example 3.11: The everlasting violation of the child
18. Example 3.12: Online undercover activities against mega sites
19. Example 3.13: Repeated search in Danish procedural law
20. Example 3.14: Search and seizure in relation to a charge of securities fraud
21. Example 3.15: Megaupload.com
22. Example 3.16: Evidence and excess information – balancing different rights
23. Example 3.17: Search of a smartphone
24. Example 4.1: The Armando Angulo case
25. Example 4.2: An illustrative story
26. Example 4.3: An obliging legal assistant
27. Example 4.4: Missing surveillance footage
28. Example 4.5: Eliminated evidence
29. Example 4.6: Controlled by spyware
30. Example 4.7: The justice system and digital evidence
31. Example 4.8: An illustrative story
32. Example 4.9: SpyEye online banking fraud
33. Example 4.10: SpyEye online banking fraud risk scenario
34. Example 5.1: Data collection
35. Example 5.2: Hardware write blockers
36. Example 5.3: Software-as-a-Service (SaaS) collection
37. Example 5.4: Scalability of live data acquisition instead of forensic imaging
38. Example 5.5: Scale, part 2
39. Example 5.6: Creating a one-byte file
40. Example 5.7: Windows NTFS recovery partition
41. Example 5.8: Drive lettering
42. Example 5.9: Volume shadow service
43. Example 5.10: RAR passwords
44. Example 5.11: Carved records
45. Example 6.1: Searching for a mobile phone
46. Example 6.2: Ring buffers in video surveillance equipment
47. Example 6.3: Alarm central
48. Example 6.4: Adjusting the clock to get an alibi
49. Example 6.5: Encrypted notes
50. Example 7.1: Verizon versus cogent peering disputes
51. Example 7.2: BGP blackholing by mistake
52. Example 7.3: Identified by Tor

1. Definition 1.1: Forensic science
2. Definition 1.2: Locard's exchange principle
3. Definition 1.3: Crime reconstruction
4. Definition 1.4: 5WH
5. Definition 1.5: Evidence dynamics
6. Definition 1.6: Digital forensics
7. Definition 1.7: Forensically sound
8. Definition 1.8: Evidence integrity
9. Definition 1.9: Chain of custody
10. Definition 1.10: Digital evidence
11. Definition 2.1: The identification phase
12. Definition 2.2: Post mortem
13. Definition 2.3: The collection phase
14. Definition 2.4: Cryptographic hash
15. Definition 2.5: Order of volatility
16. Definition 2.6: The examination phase
17. Definition 2.7: The analysis phase
18. Definition 2.8: The presentation phase
19. Definition 3.1: Criminal offense
20. Definition 3.2: Coercive investigation method
21. Definition 3.3: Organized criminal group
22. Definition 3.4: Computer data
23. Definition 3.5: Computer system
24. Definition 3.6: Identity theft in relation to fraud
25. Definition 3.7: Child sexual abuse material
26. Definition 3.8: Racist or xenophobic material
27. Definition 4.1: Digital forensic readiness
28. Definition 4.2: Enterprise digital forensic readiness
29. Definition 4.3: Objective test
30. Definition 4.4: Validation
31. Definition 4.5: Verification
32. Definition 5.1: Sector
33. Definition 5.2: Cluster
34. Definition 5.3: File system
35. Definition 5.4: Metadata
36. Definition 5.5: Endianness
37. Definition 5.6: Named data stream
38. Definition 5.7: Orphan file
39. Definition 5.8: Inode
40. Definition 5.9: Operating system
41. Definition 6.1: Embedded system
42. Definition 6.2: Consumer electronics
43. Definition 6.3: Ontology
44. Definition 6.4: Electrostatic discharge (ESD)
45. Definition 6.5: Carving
46. Definition 6.6: Keyword search
47. Definition 6.7: Reverse engineering
48. Definition 8.1: Computational forensics