Acquisition

Introduction to Forensic Acquisition

Forensic acquisition is a foundational process in digital forensics, aimed at preserving and analyzing digital evidence. It involves creating an exact, bit-for-bit copy of storage media to ensure that all data, including active files, deleted data, and hidden information, is retained for analysis without altering the original evidence.

Key Principles of Forensic Acquisition

1. Integrity Preservation

  • Objective: Ensure the forensic copy is an exact replica of the original.

  • Method: Use hashing algorithms (e.g., MD5, SHA-1) to verify the integrity of the data.

  • Outcome: The hash of the original device should match the hash of the forensic image.

2. Non-Destructive Process

  • Objective: Protect the original data from alteration.

  • Method: Investigators work exclusively on the forensic copy, leaving the original untouched.

3. Admissibility

  • Objective: Ensure the evidence is admissible in court.

  • Method: Follow established forensic protocols to demonstrate the authenticity and integrity of the data.

Tools for Forensic Acquisition

  • FTK Imager:

    • Creates disk images and extracts specific files.

    • Provides an intuitive interface for imaging and previewing evidence.

  • Autopsy:

    • Open-source platform for analyzing disk images.

    • Supports artifact extraction and timeline analysis.

  • Axiom:

    • Comprehensive forensics tool with advanced acquisition and analysis features.

    • Focuses on structured reporting and artifact visualization.

Browser Data Storage Locations

Web browsers store critical user activity data in structured formats like SQLite databases and JSON files, which are valuable for forensic investigations.

Storage Paths for Common Browsers

  • Firefox:

    %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\

  • Google Chrome:

    %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\

  • Microsoft Edge:

    %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\

  • Opera:

    %USERPROFILE%\AppData\Roaming\Opera Software\Opera Stable

Chrome Browser Artifacts

Most Chrome artifacts are stored under the Default folder. Key files include:

1. History (SQLite Database)

  • Tracks:

    • URLs visited.

    • Download history.

    • Timestamps.

2. Cookies (SQLite Database)

  • Stores:

    • Session data.

    • Tracking information for user activity across websites.

3. Cache

  • Temporary storage for web content such as:

    • Images.

    • Scripts.

4. Bookmarks (JSON File)

  • Provides insights into user preferences and frequently visited sites.

5. Login Data (SQLite Database)

  • Stores saved usernames and passwords.

  • Passwords are typically encrypted.

Analysis Techniques

Manual Analysis

  • SQLite Browser:

    • Used to view and query browser databases (e.g., History, Cookies).

  • Text/JSON Viewer:

    • Allows manual inspection of plaintext or JSON-based files.

Automated Analysis

  • BrowsingHistoryView:

    • Aggregates and displays browser history from multiple browsers in a consolidated view.

  • Hindsight:

    • Specializes in automated parsing and reporting of Chrome browser artifacts.

Key Points

Forensic acquisition is essential to ensure reliable evidence collection. Browser artifacts, such as history, cookies, and login data, provide a wealth of information about user activities. By using both manual and automated tools, investigators can effectively analyze browser data to uncover critical evidence. In subsequent lessons, you’ll gain hands-on experience with these tools to conduct detailed investigations.

PreviousIntroduction to Browser ForensicsNextBrowser Artifacts

Last updated