0% found this document useful (0 votes)

82 views53 pages

TRL Computer Forensics PDF

Uploaded by

MOK

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

82 views53 pages

TRL Computer Forensics PDF

Uploaded by

MOK

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 53

Page 1 of 53

North Carolina
State Bureau of Investigation

Triad Regional Crime Lab

Digital Evidence Section

Computer Forensics
Technical Procedure Manual

June 30, 2009

This document is not controlled if printed.

Page 2 of 53

North Carolina State Bureau of Investigation

Triad Regional Crime Laboratory
Digital Evidence Unit

Computer Forensics Technical Procedure Manual

Any updates, modifications, additions, or deletions to this manual prepared after

the date on the cover sheet must be approved by the Supervisor of the Triad
Regional Crime Lab’s Digital Evidence section and the SAC of the Triad Regional
Crime Lab prior to their implementation.

Any part of the manual that is updated shall be archived and all modifications
shall be recorded in the Revision Notes section at the end of this document. The
Revision Notes section at the end of this document should state: the date of any
updates as well as any modifications, additions, or deletions.

The Bureau’s Assistant Director of Crime Laboratories and Laboratory Quality

Manager will review the section procedure manuals as a part of their annual
quality audit. Documentation of these reviews will be stored on the Section’s
shared document area.

This document is not controlled if printed.

Page 3 of 53

Table of Contents
General Flow Diagram for Forensic Computer Examination 4

General Flow Diagram Forensic Computer Crime Scene Response 5

General Flow Diagram for Taser Examination 6

Crime Scene / Field Response, Evidence Preservation Protocol 7

System Image Restoration Protocol 10

Target Drive Preparation Protocol 12

Hard Drive Removal Protocol 14

Windows Imaging Protocol 16

Removable Media Imaging Protocol 19

Linux Imaging Protocol 21

Mac Imaging Protocol 24

Cable Acquisition Protocol 28

M26 Taser Data Download Protocol 31

X26 Taser Data Download Protocol 33

Taser Function Test Protocol 36

Evidence Search Protocol 38

Results Protocol 41

Approved Software for Forensic Computer Examinations 44

Glossary of Terms 46

References 49

Revision Notes 53

This document is not controlled if printed.

Page 4 of 53

General Flow Diagram for Forensic Computer Examination

Prepare system drive.

System Image Restoration Protocol

Prepare image drive.

Target Drive Preparation Protocol

Does the submitted evidence include a

desktop computer?

Yes
Remove drive from suspect’s computer.
Hard Drive Removal Protocol No

Is a hardware write blocker available to be

used to image this drive?

Does the submitted evidence include a

Yes No laptop computer?

Yes
Windows Imaging DOS Imaging Can the hard drive be easily
Protocol Protocol removed from the computer?

Yes
No

No Remove drive from suspect’s computer.

Hard Drive Removal Protocol

Create image of suspect’s hard drive.

Cable Acquisition Protocol

Is a hardware write blocker available to be

used to image this drive?

Yes No

Does the submitted evidence include Windows Imaging DOS Imaging

removable storage media? Protocol Protocol

Yes

Image removal media if necessary.

Removal Media Imaging Protocol

Search Evidence
Evidence Search Protocol

Results

This document is not controlled if printed.

Page 5 of 53

General Flow Diagram for Forensic Computer Crime Scene Response

Arrive at crime scene. Prepare image drive.

Crime Scene Preservation Target Drive Preparation Protocol

Does the submitted evidence include a

desktop computer?

Yes
Remove drive from suspect’s computer.
Hard Drive Removal Protocol No

Is a hardware write blocker available to be

used to image this drive?

Does the submitted evidence include a

Yes No laptop computer?

Yes
Windows Imaging DOS Imaging Can the hard drive be easily
Protocol Protocol removed from the computer?

Yes
No

No Remove drive from suspect’s computer.

Hard Drive Removal Protocol

Create image of suspect’s hard drive.

Cable Acquisition Protocol

Is a hardware write blocker available to be

used to image this drive?

Yes No

Does the submitted evidence include Windows Imaging DOS Imaging

removable storage media? Protocol Protocol

Yes

Image removal media if necessary.

Removal Media Imaging Protocol

Search Evidence
Evidence Search Protocol

Results

This document is not controlled if printed.

Page 6 of 53

Taser Examination

Is the Taser an
X26 or M26
model?
M26 X26

M26 Acquisition X26 Acquisition

Protocol Protocol

Taser Function
Test
Protocol

Write Report

This document is not controlled if printed.

Page 7 of 53

Title: Crime Scene / Field Response Evidence Preservation Protocol

Version: 1.0

Introduction:
This procedure describes the steps to be taken by all personnel of the Triad
Lab’s Digital Evidence Unit when they are called upon to provide computer
forensic assistance at crime scenes.

Purpose:
The purpose of this procedure is to secure digital evidence located at a crime
scene and preserve its integrity for further forensic processing.

Equipment:
1. Digital Camera
2. USB thumb drive or USB removable drive with media

Definitions:
Removable Media – digital storage media such as CDs, Zip disks, Jazz disks,
floppy disks, and USB thumb drives which are not permanently installed in the
computer.

Calibration:
None needed for this procedure.

Limitations:
If the suspect computer is networked:
1. Unplugging a suspect computer from a business network can cause data
loss and could potentially damage other computers on the network.
2. Assistance should be sought from the system administrator in isolating the
computer from the network, so long as the administrator is not the suspect
in the case.
3. If the system administrator is the suspect in the case, assistance should
be sought from personnel knowledgeable in the network’s operation.
4. Be sure all computers involved in the search are secured and that no one
is allowed access to them. Important data can be quickly damaged or
destroyed.
5. The computers at the scene should be searched to determine if any
wireless networks or any wireless networking devices exist. If one does
exist, the computer of interest should be either shut down or isolated from
the network.

If the suspect computer is not visibly connected to a network:

6. Powering down a suspect’s computer can cause data loss and could
potentially damage the operating system. Normal shutdown procedures
should be utilized unless there is reason to suspect that either: a suspect
is destroying evidence, someone is manipulating data from an outside

This document is not controlled if printed.

Page 8 of 53

source (through a network or a wireless connection), or, a rogue process

will be started upon normal system shutdown.
7. If at any point while securing the computer the analyst believes that
evidence may be being destroyed or manipulated from an outside source
through wireless connectivity, the computer must be powered off
immediately.
8. In forcibly shutting down a computer, the plug should be pulled from the
back of the computer, not from the wall outlet. For laptops you must hold
the power button until the system shuts off. Do not unplug a UPS backup
unit to cut power to a computer because the battery in the UPS could
power the computer long enough to complete any destructive processes.

Procedures:
1. Remove the suspect from the computer and do not allow the suspect
access to it.
2. If the computer is networked, isolate and remove the suspect computer
from the network immediately. If the suspect machine is a server, do
everything possible to ensure that no one is allowed access to that server
until it can be isolated from the network.
3. Document the condition of all computers with photographs and notes. This
documentation should include any pictures and written notes concerning
any programs that are open and other information that may appear on the
monitor such as the time given on the clock.
4. Save any open documents on the computer to external media (floppy disk,
USB drive, etc.).
5. Shut down the computer by utilizing normal shutdown procedures unless
there is reason to suspect that either: a suspect is destroying evidence,
someone is manipulating data from an outside source (through a network
or a wireless connection), or, a rogue process will be started upon normal
system shutdown.
6. Note the hardware connections to the computer with notes, pictures or
both. Label the cords and the area that they are plugged into so the
system can be reassembled at a later date if necessary.
7. Search the scene for removable media, especially unique USB or firewire
devices.
8. Search the area around the computer for any passwords, account
numbers, or other pertinent information which may have been written
down.

References:
1. Seizing Electronic Evidence ; US Secret Service

This document is not controlled if printed.

Page 9 of 53

Notes:
1. It is important to document the connections to the computer before
disassembling it. It may be necessary to put the computer back in its
original condition as it was when it was seized in order to check
functionality of certain devices.
2. The crime scene should be searched thoroughly for removable media. In
some cases, the evidence being sought will only reside on removable
media.
3. If files on the computer are encrypted, finding the password written down
near the computer may be the only way to access the information.

This document is not controlled if printed.

Page 10 of 53

Title: System Image Restoration Protocol

Version: 1.0

Introduction:
This procedure describes the steps to be taken by all personnel of the Triad
Lab’s Digital Evidence Unit in preparing system drives for use in forensic
computer examinations.

Purpose:
The purpose of this procedure is to restore system drives used in forensic
casework to a default state in order to insure that no cross contamination occurs
between cases.

Equipment:
1. Forensic Tower or Portable Forensic Workstation
2. OS Hard drive
3. Software for creating and restoring system images (Norton Ghost)
4. System Image on CD or DVD

Definitions:
1. System drive – the drive that contains the operating system (OS).
2. System image – factory default or user created backup of the drive that is
used to restore the hard drive(s) on the forensic tower for use when
beginning a new case.

Calibration:
The forensic towers used in casework must be verified each day that they are
used to ensure that the computer hardware and software are functioning
properly. The procedure for this verification process can be found in the Digital
Evidence Unit Validation and Calibration Manual.

Limitations:
Failure to clean the information from a previously used hard drive can lead to the
possibility of data from old cases contaminating a new case.

Procedures:
1. If a previously created system image is available, skip to step 5.
2. If no previously created system image is available, or updates to the
default system image need to be made, use either the original Restore
Disk that came packaged with the Forensic tower or restore the last
known good system image.
3. Install any software and make any necessary changes to be included on
the new system image.
4. Use an approved backup utility to create the image of the system.
5. Restore the system drive using the prepared system image.

This document is not controlled if printed.

Page 11 of 53

References:
1. Digital Evidence Unit Validation and Calibration Manual

Notes:
None

This document is not controlled if printed.

Page 12 of 53

Title: Target Drive Preparation Protocol

Version: 1.0

Introduction:
This procedure describes the steps to be taken by all personnel of the Triad
Lab’s Digital Evidence Unit in preparing target drives for use in forensic computer
examinations.

Purpose:
The purpose of this procedure is to wipe all information from target drives used in
forensic casework in order to insure that no cross contamination occurs between
cases.

Equipment:
1. Forensic Tower, Portable Forensic Workstation, Laptop, or High-speed
hard drive copier device
2. Target hard drive
3. Approved software for wiping data
4. Approved software for verification of wiped drive

Definitions:
1. Target Drive – the hard drive that will be used in casework to receive
forensic images upon and upon which the processing of casework may be
performed.
2. Wipe – permanently deleting all data from a drive by overwriting every
byte of storage capacity with a known value.

Limitations:
Failure to wipe the information from a previously used hard drive can lead to the
possibility of data from old cases contaminating a new case.

Procedures:
1. Select a Target drive that has sufficient storage capacity to hold the image
files from the evidence hard drive(s) as well as sufficient space for any
casework processing functions necessary.
2. Use an approved forensic wiping utility to overwrite all data on the drive.
3. Use appropriate software to verify that the target drive has been wiped
completely.

This document is not controlled if printed.

Page 13 of 53

4. Initialize, partition, format and name the target drive. The name should
identify the target drive to prevent possible confusion with any suspect
drives (e.g. image, target, etc.).
5. Directories should be created on the drive in order to keep the evidence
organized. The format of this drive structure should be developed by the
individual analyst to meet his/her casework needs.

References:
1. EnCase Forensic User Manual
2. EnCase Intermediate Analysis and Reporting course guide
3. EnCase Advanced Computer Forensics course guide
4. Forensic Toolkit User Guide
5. Forensic Boot Camp Training Manual
6. Digital Evidence Unit Validation and Calibration Manual

Notes:
1. This procedure should be used for new hard drives as well as hard drives
used in previous cases.
2. It is recommended that all hard drives assigned to the Digital Evidence
Unit that are not currently in use be forensically sterilized in preparation for
future casework or possible field work.
3. When responding to image a computer in the field, the Target drives
should be prepared by this procedure prior to arriving at the scene. This
will speed up the process of imaging the computer and will result in a
shorter down time for the evidence computer.

This document is not controlled if printed.

Page 14 of 53

Title: Hard Drive Removal Protocol

Version: 1.0

Introduction:
This procedure describes the steps to be taken by all personnel of the Triad
Lab’s Digital Evidence Unit in removing hard drives from computers which are
evidence in forensic computer examinations.

Purpose:
The purpose of this procedure is to remove the hard drives from computers
submitted for examination while maintaining the integrity of the evidence.

Equipment:
1. Computer repair tool kit
2. Permanent markers
3. Electrostatic discharge wrist strap or similar device
4. Digital camera

Definitions:
BIOS – Basic Input Output System. A number of machine code routines that
are stored in ROM and available for execution at boot.

Calibration:
None needed for this procedure.

Limitations:
Precautions should be used to guard against electrostatic discharges which can
damage or destroy the evidence hard drive. The electrostatic discharge wrist
strap or similar device should be used whenever hard drive removal is
performed.

Procedures:
1. Record the system information from the evidence computer on the FLAIR
notes sheet.
2. If necessary, photograph the condition of the evidence computer prior to
opening the case.
3. Open the case on the computer.
4. If necessary, photograph the internal contents of the evidence computer
prior to removing the hard drive(s).
5. Mark the power cords and data ribbons/connectors connecting the hard
drive to the evidence computer.
6. Remove the hard drive(s) from the evidence computer.
7. Label the hard drive removed from the evidence computer with
appropriate case information to prevent evidence contamination. The
labeling must be in accordance with the SBI Lab Evidence Handling
Policy.

This document is not controlled if printed.

Page 15 of 53

8. Record the drive information such as make, model, serial number, number
of sectors, number of heads, and jumper settings on the notes sheet.
9. With all hard drives removed, boot the evidence computer into the BIOS.
Record the actual date and time as well as the date and time displayed by
the BIOS in the FLAIR notes, making sure to note any discrepancies
between real time and the reported system time.

References:
1. How Computers Work
2. Upgrading and Repairing PCs
3. A+ Exam Study Guides

Notes:
1. The hard drives from laptop computers can be imaged using the same
procedures as the hard drives removed from desktop computers. An
adapter may be necessary to connect the laptop hard drive to the forensic
examination system.
2. Some laptop hard drives have security devices which do not allow them to
be used outside of the laptop computer. In these cases, it is permissible to
image these computers using the Cable Acquisition Protocol or by booting
the laptop into a forensically sound Linux environment.
3. Marking the cords connecting the hard drive to the evidence computer will
allow the examiner to reassemble to computer correctly.

This document is not controlled if printed.

Page 16 of 53

Title: Windows Imaging Protocol

Version: 1.0

Introduction:
This procedure describes the steps to be taken by all personnel of the Triad
Lab’s Digital Evidence Unit in imaging digital evidence submitted to the
Laboratory as evidence while using the Microsoft Windows operating system.

Purpose:
The purpose of this procedure is to use a Microsoft Windows operating system to
create a forensic image of evidence items without altering the data on said
evidence.

Equipment:
1. Forensic Tower, Laptop, or Portable Forensic Workstation
2. Prepared target drive
3. Approved software for forensic imaging

Limitations:
Forensically sound write-blocking hardware devices must be used to write protect
the evidence items. If no such write-blocking device exists then the evidence
item cannot be imaged using this protocol.

Procedures:
1. Attach the evidence to the forensic computer using a forensically sound
write-blocking / read-only hardware device.
2. Boot the forensic computer into the Windows OS.
3. Use an approved hashing program to obtain the MD5 hash value of the
evidence item before imaging.

This document is not controlled if printed.

Page 17 of 53

4. Make a forensic image of the evidence item onto the target drive using an
approved imaging software program in Windows, following the imaging
procedures specific to the product*.
5. The resulting forensic image files should be limited in size to 640 MB if the
image files will be written to CDs or to 1100 MB if the image files will be
written to DVDs.
6. Due to the limitations of EnCase when imaging optical media, all optical
media must be imaged using FTK Imager. Analysts must be aware of the
limitations of all hashing algorithms when dealing with optical media.
7. While the evidence item is attached to the forensic computer via the write-
blocking / read-only hardware device additional programs that require
access to the physical disk should be run (i.e. anti-virus software,
NetAnalysis, etc.).
8. After verifying that the forensic image has been successfully completed
and all additional processes have been run (see step 7 above), remove
the suspect's hard drive from the forensic computer.

Notes:
1. * In the event of read errors being reported during imaging, the following
procedure must be followed: (1) the evidence item must be acquired with
a sector setting of one sector [default on FTK Imager | Error Granularity =
1 on EnCase] and the resulting hash value recorded. (2) the evidence item
must be hashed again with a different approved hashing software and the
resulting hash value recorded. (3) if the two hash values from steps one
and two above match then the Analyst may proceed with the assurance of
a good image and hash value; but, if the two values do not match, then
the analyst must remove the evidence item from the forensic computer
and must hash the evidence item using another forensic computer or
approved hashing device. If the resulting hash value still does not match
any previously generated hash value then the analyst must note this error
in the case notes and cease all work on the evidence item until a senior
Digital Evidence Analyst can be consulted concerning the error.
2. Any approved imaging software or device may be used to generate
forensic images.
3. Forensic Imaging and making a copy are not the same process. Copying
takes place through an operating system and only logical files are copied
during the process – unallocated space and deleted files are not copied.
When a forensic image is created a bitwise, complete copy of the data on

This document is not controlled if printed.

Page 18 of 53

the evidence item is written to the target drive, which includes any slack
space, unallocated space, and deleted files.
4. When working with laptop hard drives an adapter may be required to
connect the drive to the write-blocking / read-only hardware device.
5. If no write-blocking / read-only hardware device exists to connect the
evidence item to the forensic computer then the Windows OS cannot be
used to perform the imaging process.
6. Using image compression during the imaging process has NO damaging
effects on the evidence or the integrity of the resulting image file(s).
7. In the event that an image cannot be made of the evidence item due to
either hardware or software problems, all approved methods of imaging
the drive must be exhausted and the attempts to image the hard drive
should be completely documented. The evidence item must NEVER be
examined directly.
8. In instances where the virus scan takes an excessive amount of time to
complete, it is permissible to copy all of the logical files out to the hard
drive and run the scan on these files.
9. Virus definitions on anti-virus software should be updated regularly.

This document is not controlled if printed.

Page 19 of 53

Title: Removable/External Media Imaging Protocol

Version: 1.0

Introduction:
This procedure describes the steps to be taken by all personnel of the Triad
Lab’s Digital Evidence Unit in imaging various types of removable media which
may be submitted to the Laboratory.

Purpose:
The purpose of this procedure is to image various types of removable media,
including: floppy disks, CDs, DVDs, MP3 players, Zip disks, Jaz disks, digital
cameras and flash memory cards, without making changes to the data on the
media.

Equipment:
1. Forensic Tower, Portable Forensic Workstation, or Laptop
2. Prepared target drive

Definitions:
Target Drive – the hard drive that will be used in casework to receive forensic
images upon and upon which the processing of casework may be performed.

Limitations:
1. When a case is submitted to the laboratory that contains a PDA, great
care should be taken to ensure that the batteries do not go dead. The
volatile memory in a PDA can be lost when the batteries are totally
discharged. PDAs which use AA or AAA batteries should have new
batteries placed into the PDA. PDAs with rechargeable batteries should be
charged if the charger is submitted. If these things cannot be done to
ensure the safety of the evidence on the PDA, the evidence should be
imaged as closely as possible to the time of submission.

Procedures:
1. If possible, write protect any removable media.
2. The evidence may be imaged to a blank copy of the same media type.
The original media should be labeled as the original, and the duplicates
should be used for examination.
3. If the media can be write protected and keyword searches are not needed
on the media, it is permissible to preview the original media without
making an image first.

This document is not controlled if printed.

Page 20 of 53

Floppy Disks
1. High density and double density floppy disks must be write-protected. The
imaging of the floppy disks to be imaged can be imaged either as a batch
through EnCase or imaged individually.
CDs/DVDs
1. Due to the limitations of EnCase when imaging optical media, all optical
media must be imaged using FTK Imager. Analysts must be aware of the
limitations of all hashing algorithms when dealing with optical media.
Zip Disks
1. Zip disks have no internal write protection mechanism and therefore must
be imaged by connecting a USB external Zip drive to the forensic
computer by means of a forensic USB write-blocking bridge.
2. Serial connections for Zip drives cannot be write-blocked and therefore
are not permitted for Zip disk imaging.
PDAs
1. For PDA examination, a docking cradle made for the particular make and
model of PDA is required. The docking cradle must be connected to the
forensic computer by means of a write-blocking device.
Digital Cameras / Flash Memory Cards
1. For examination of digital cameras, the flash memory cards should be
removed from the camera. A forensically sound flash media card reader is
used to read the data on the media.

Notes:
1. When working with re-writable optical media disks it is preferred that the
evidence disk be placed into a ROM drive rather than a drive with write
capabilities to prevent potential changes being made to the evidence. The
optical media drives installed on the computer forensic unit’s forensic
towers have been validated to ensure that changes will not be made to
evidence media upon insertion.
2. If no write-blocking / read-only hardware device exists to connect the
evidence item to the forensic computer then the Windows OS cannot be
used to perform the imaging process.
3. When batch imaging floppy disks, EnCase chooses the disk capacity of
the first floppy imaged as the capacity of all floppies in the batch. If a
double density disk is imaged first, EnCase will not see all of the data on
any high density disks which are imaged later in the batch. Therefore,
high density disks must be imaged first in any batch.

This document is not controlled if printed.

Page 21 of 53

Title: Linux Imaging Protocol

Version: 1.0

Purpose:
The purpose of this procedure is to use a forensically sound Linux operating
system to create a forensic image of evidence items without altering the data on
said evidence.

Equipment:
1. Forensic Tower, Laptop, or Portable Forensic Workstation
2. Prepared target drive
3. Bootable forensically sound Linux operating system
4. Approved software for forensic imaging

Definitions:
1. MD5 hash – A 128 bit number that uniquely describes the contents of a
file or hard drive. This is the standard hash value used in computer
forensics.
2. Forensic OS drive – Hard drive containing the operating system and all of
the forensic software that will be used in the examination.
3. Forensically sound Linux operating system – A bootable Linux operating
system that runs entirely in the computer’s memory and has been
specifically modified to mount all devices connected to the system in a
read-only state (e.g. Helix, Knoppix, etc.).
4. Target Drive – The hard drive that will be used in casework to receive
forensic images upon and upon which the processing of casework may be
performed.

Limitations:
The analyst must be fully aware of how the mounting process in Linux works and
must be comfortable performing command line functions. The analyst must also
inspect any forensically sound Linux operating system variant to insure that all
devices are being mounted in a read-only state before using that variant to mount
and image evidence media.

This document is not controlled if printed.

Page 22 of 53

This protocol is most often used in situations where a write-blocking / read-only

hardware device cannot be used to protect the evidence item. The forensically
sound Linux operating system can be used to boot a suspect computer for
examination because it runs only in the memory of the suspect computer and
does not write to any device on the computer.

Great care must be taken when booting a suspect computer into the forensically
sound Linux operating system. The BIOS on the suspect computer must be
examined to ensure that the media device that contains the forensically sound
Linux operating system (on CD or USB device) will be booted first. The Analyst
may need to consult the manufacturer’s website on the Internet in order to utilize
the correct key sequence to facilitate entering the suspect computer’s BIOS
setup program.

Procedures:
If a suspect computer is to be imaged:
1. Boot the suspect computer into its BIOS setup program. DO NOT
UNDER ANY CIRCUMSTANCES ALLOW THE SUSPECT COMPUTER
TO BEGIN TO BOOT INTO ITS NATIVE OPERATING SYSTEM!!! If you
see any indication that the suspect computer is booting into its native OS,
then forcibly shut it down IMMEDIATELY and note this in your case notes.
Be sure that you can enter the BIOS setup program before proceeding.
2. Insert the forensically sound Linux operating system (CD / USB device,
etc.) into the suspect computer and boot the suspect computer into the
forensically sound Linux OS.

If no suspect computer is involved:

1. Boot the forensic computer into the forensically sound Linux OS.
2. Insert the evidence media into the forensic computer.

For both methods:

3. Use an approved hashing program to obtain the MD5 hash value of the
evidence item before imaging.
4. Make a forensic image of the evidence item onto the target drive using an
approved imaging software program following the imaging procedures
specific to the product.
5. The resulting forensic image files should be limited in size to 640 MB if the
image files will be written to CDs or to 1100 MB if the image files will be
written to DVDs.
6. After verifying that the forensic image has been successfully completed
shut down the suspect's computer and/or the forensic tower and
remove/disconnect the evidence item.

References:
1. Linux Desk Reference
2. Digital Evidence Unit Validation and Calibration Manual

This document is not controlled if printed.

Page 23 of 53

Notes:
1. Any approved imaging software or device may be used to generate
forensic images.
2. Forensic Imaging and making a copy are not the same process. Copying
takes place through an operating system and only logical files are copied
during the process – unallocated space and deleted files are not copied.
When a forensic image is created a bitwise, complete copy of the data on
the evidence item is written to the target drive, which includes any slack
space, unallocated space, and deleted files.
3. Using image compression during the imaging process has NO damaging
effects on the evidence or the integrity of the resulting image file(s).
4. In the event that an image cannot be made of the evidence item due to
either hardware or software problems, all approved methods of imaging
the drive must be exhausted and the attempts to image the hard drive
should be completely documented. The evidence item must NEVER be
examined directly.

This document is not controlled if printed.

Page 24 of 53

Title: Mac Imaging Protocol

Version: 1.0

Introduction:
This procedure describes the steps to be taken by all personnel of the Triad
Lab’s Digital Evidence Unit in imaging computers running the Apple Macintosh
operating system submitted to the Laboratory as evidence.

Purpose:
The purpose of this procedure is to properly create a forensic image of a
computer running the Apple Macintosh operating system without altering the data
on said computer. This procedure covers imaging of Macs when the hard drive
can be removed and in situations when the hard drive cannot be removed.

Equipment:
1. Forensic Tower
2. Macintosh laptop specifically used for Mac forensics analysis
3. FireWire (IEEE 1394) cable
4. Forensically sound, bootable CD for Power PC Macintosh hardware
5. Forensically sound, bootable CD for Intel-based Macintosh hardware
6. Prepared target drive

Definitions:
1. FireWire Target Mode – FireWire Target Mode allows a Mac system to act
as if the entire computer were an external FireWire hard drive for another
system. This mode works at the firmware level before the operating
system is engaged and booted. It is entered by holding down the “T” key
on the Mac system during the boot process.
2. Forensically sound, bootable CD for Power PC Macintosh hardware – A
forensically sound, bootable CD for Power PC Macintosh hardware is a
Linux operating system variant on a CD that has been specially
constructed for forensic examination of live Macintosh systems that have
the Power PC processor chips. The CD is forensically sound due to the
fact that all media on the system is placed in read-only mode.
3. Forensically sound, bootable CD for Intel-based Macintosh hardware – A
forensically sound, bootable CD for Intel-based Macintosh hardware is a
Linux operating system variant on a CD that has been specially
constructed for forensic examination of live Macintosh systems that have
the Intel processor chips. The CD is forensically sound due to the fact that
all media on the system is placed in read-only mode.
4. fstab – fstab is a configuration file that contains information for all of
the partitions and storage devices in a Linux-based computer. fstab
contains information concerning how and where the partitions and storage
devices in a Linux-based system should be mounted.

This document is not controlled if printed.

Page 25 of 53

5. HFS - Hierarchical File System (HFS) is a file system developed by Apple

for use in computers running Mac OS. HFS is also referred to as Mac OS
Standard.
6. HFS+ - HFS Plus or HFS+ is a file system developed by Apple to replace
their Hierarchical File System (HFS) as the primary file system used in
Macintosh computers (or other systems running Mac OS). HFS Plus is an
improved version of HFS, supporting much larger files (block addresses
are 32-bit length instead of 16-bit) and using Unicode for naming the file
items. HFS Plus also uses a full 32-bit allocation mapping table, rather
than HFS’s 16 bits. HFS Plus is also referred to as Mac OS Extended.

Calibration:
The forensic towers used in casework must be validated each day that they are
used to ensure that the computer hardware and software are functioning
properly. The procedure for this validation process can be found in the Digital
Evidence Unit Validation and Calibration Manual.

Precautions:
1. NEVER use a Microsoft Windows operating system to preview or image a
live Macintosh system. Microsoft operating systems “touch” drives during
the boot sequence and hence modify the data of the suspect computer.
2. If you are using another Mac as the examination platform, make sure that
you turn off DiskArbitration otherwise there may be inadvertent writes to
the suspect Mac system.

Limitations:
1. Be sure to plug in a power cable to any MacBook or other Macintosh
laptop to be previewed. Do not allow a laptop to run on battery power
during a preview or acquisition if the appropriate AC power cord is
available.

Procedures:
If the hard drive can be successfully removed from the Mac system:
1. If the hard drive can be successfully removed from the suspect system
then you may image the drive using the Windows Imaging Protocol
because the removed hard drive is no different than any other hard drive
at that point.
2. If the Analyst desires to analyze the data from the suspect Macintosh
computer in the native (Mac) format then the image file must be saved in
raw/DD format as a single file in order to be analyzed as a disk image file
by the analysis system.

If the hard drive cannot be successfully removed from the Mac system:
1. Boot up the Mac and hold down the "Option" key until the selection dialog
is presented. If the Mac presents you with a lock icon and a password
dialog box then there is a firmware password in place on this Mac and you

This document is not controlled if printed.

Page 26 of 53

cannot proceed. If however, you see icons for bootable partitions then
there is no firmware password and you may proceed.
2. If no firmware password is installed, reboot the Mac and hold down the "T"
key until you see a screen with a FireWire logo floating around. Selecting
this boot option will place the Mac into FireWire Target Mode.
3. Attach the suspect Mac system to the forensic computer via a firewire
connection.
4. Boot the forensic computer into a forensically sound operating system
environment. If using a Windows computer then the computer must be
booted with a forensically sound Linux variant. If using a Mac then the
user must mount the suspect Macintosh system in read-only mode and
DiskArbitration must be turned off.
5. Use an approved hashing program to obtain the MD5 hash value of the
evidence item before imaging.
6. Make a forensic image of the suspect Mac system onto the target drive
using an approved imaging software program following the imaging
procedures specific to the product.
7. The resulting forensic image files should be limited in size to 640 MB if the
image files will be written to CDs or to 1100 MB if the image files will be
written to DVDs. If the Analyst desires to analyze the data from the
suspect Macintosh computer in the native (Mac) format then the image file
must be saved in raw/DD format as a single file in order to be analyzed as
a disk image file by the analysis system.
8. After verifying that the forensic image has been successfully completed
shut down the suspect Mac computer and/or the forensic computer and
remove/disconnect the firewire cable.

If the Analyst chooses to use a forensically sound Linux variant: (as needed)
1. When the forensically sound Linux environment has fully loaded, open up
a terminal session.
2. Navigate to the /etc directory.
3. Edit the fstab file using vi or another text editor. Navigate to the entry in
the fstab file that corresponds to the HFS partition on the Mac’s hard
drive and change the partition type from “hfs” to “hfsplus”.
4. If there is a need to copy data off of the Mac during the preview, the target
drive must be mounted as read/write in the fstab file by changing the "ro"
characteristic (Read-Only) to "rw" (Read-Write). Be cautious to ensure
that only the target drive is mounted as Read-Write.
5. Save the changes to the fstab file and close the terminal session.

6. If using the GUI, click once on the Mac hard drive icon to mount the drive.
Repeat this process for the target drive (if used) to mount the target drive.
If using the command line, mount both the suspect drive and the target
drive.
7. Use an approved hashing program to obtain the MD5 hash value of the
evidence item before imaging.

This document is not controlled if printed.

Page 27 of 53

8. Make a forensic image of the suspect Mac system onto the target drive
using an approved imaging software program following the imaging
procedures specific to the product.
9. The resulting forensic image files should be limited in size to 640 MB if the
image files will be written to CDs or to 1100 MB if the image files will be
written to DVDs. If the Analyst desires to analyze the data from the
suspect Macintosh computer in the native (Mac) format then the image file
must be saved in raw/DD format as a single file in order to be analyzed as
a disk image file by the analysis system.
10. After verifying that the forensic image has been successfully completed
shut down the suspect Mac computer and/or the forensic computer and
remove/disconnect the firewire cable.

References:
1. Mac OS X, iPod, and iPhone Forensic Analysis
2. Linux Desk Reference
3. Digital Evidence Unit Validation and Calibration Manual

Notes:
1. The changes to the fstab file allow the forensically sound Linux
environment to properly read the file system on newer Macintosh
systems while remaining in a read-only state. Because this file
remains in the active memory of the computer it remains forensically
sound and does not “touch” the suspect computer.
2. The industry standard best practice for examining a Macintosh system
is to boot the Mac into FireWire Target mode because this mode
engages at the firmware level before the operating system is booted
and before any files are “touched”. To enter FireWire Target Mode
boot the Mac and hold down the "T" key until a screen with a floating
FireWire logo is seen.

This document is not controlled if printed.

Page 28 of 53

Title: Cable Acquisition Protocol

Version: 1.0

Introduction:
This procedure describes the steps to be taken by all personnel of the Triad
Lab’s Digital Evidence Unit in imaging computers using a null-modem parallel
(laplink) cable or network crossover cable.

Purpose:
The purpose of this procedure is to image evidence drives still installed in the
evidence computers in a situation where the hard drive is impossible to remove.
This protocol provides a procedure for imaging these computers without making
changes to the data on the evidence drive.

Equipment:
1. Forensic Tower, Laptop, or Portable Forensic Workstation
2. Prepared target drive
3. EnCase boot floppy

Definitions:
1. Target Drive – the hard drive that will be used in casework to receive
forensic images upon and upon which the processing of casework may be
performed.
2. Evidence Drive - Hard drives submitted to the Laboratory as evidence.
3. EnCase boot floppy - a 3 ½ inch computer disk containing the MS DOS
operating system and a copy of the EnCase forensic imaging program
which is used to boot a computer without altering the data on evidence
hard drives.
4. Server mode – DOS mode that the suspect computer is put into to enable
it to send data to a forensic computer in a forensically safe manner for
imaging.
5. Client mode - DOS mode that the forensic computer is put into to enable it
to receive data from an evidence computer in a forensically safe manner
for imaging.

Limitations:
1. If possible, check the evidence computer prior to booting to ensure that
the boot order is to the floppy drive first. Also, disable any power saving
features in the BIOS.

This document is not controlled if printed.

Page 29 of 53

2. Always set up the evidence computer in server mode first before setting
up the forensic computer.

Procedures:
1. Set up the evidence computer in server mode by booting into DOS using
an EnCase boot floppy.
2. Connect the evidence computer and forensic computer using a network
crossover cable between the network interface cards or connect the
laplink cable from the parallel port of the evidence computer to the parallel
port of the forensic computer (running through the dongle if a parallel port
dongle is used).
3. Once the evidence computer has booted, run EnCase in DOS.
4. The evidence computer will display its hard drive information on the
screen and you will note that the evidence drive is locked.
5. Choose “server mode” from the choices at the bottom of the screen.
6. A window will be displayed showing “Server Mode” and the message
“waiting to connect”.
7. Install the target drive into the forensic computer.
8. Set up the forensic computer in client mode by booting the forensic
computer into DOS using an EnCase forensic boot disk and running
EnCase.
9. Ensure that the screen in of the forensic computer shows “client mode” in
the title bar.
10. The information that you now see on the screen will be from the evidence
computer.
11. Prior to imaging the hard drive, use an approved hashing program to
obtain the MD5 hash value of the evidence drive before imaging.
12. Ensure that the evidence drive is locked and unlock the Target drive.
13. EnCase asks if you would like to compress the file. Compression may be
used at the analyst’s discretion.
14. When asked if you would like to do a MD5 hash, choose YES. EnCase
uses this hash to verify that the Target drive is an exact forensic image of
the evidence hard drive.
15. EnCase offers the ability to password protect the image. The decision as
to whether or not to use password protection is left to the discretion of the
analyst.
16. When acquisition has started, the server (suspect) computer window will
show that a connection has been established and the data being
transferred.

References:
1. EnCase Forensic User Manual
2. EnCase Intermediate Analysis and Reporting course guide
3. EnCase Advanced Computer Forensics course guide
4. Digital Evidence Unit Validation and Calibration Manual

This document is not controlled if printed.

Page 30 of 53

Notes:
1. THIS PROTOCOL SHOULD ONLY BE USED AS AN ABSOLUTE LAST
OPTION – ALL OTHER OPTIONS SHOULD BE EXHAUSTED FIRST!!
2. In order to use a network crossover cable, the suspect computer must be
equipped with a network interface card and the forensic boot disk must
contain the DOS drivers for that network interface card. Otherwise, the
parallel cable must be used.
3. This is a very slow method of data acquisition. Using a network crossover
cable is a faster method of imaging a hard drive than using a parallel
cable. A hard drive greater than 20 GB in size may take several days to
acquire using a parallel cable.

This document is not controlled if printed.

Page 31 of 53

Title: M26 Taser Data Download Protocol

Version: 1.0

Introduction:
This procedure describes the steps to be taken by all personnel of the Triad
Lab’s Digital Evidence Unit in downloading the firing data from M26 model
Tasers.

Purpose:
The purpose of this procedure is to retrieve the firing data from M26 Tasers that
are submitted to the Laboratory for analysis. This protocol provides a procedure
for downloading this data without making changes to the data on the Taser.

Equipment:
1. Forensic Tower
2. M26 dataport download kit from Taser International

Definitions:
M26 dataport download kit – kit containing the hardware and software needed
to download the firing information from an M26 Taser.

Precautions:
1. M26 Tasers are high energy weapons and should be handled with great
care.
2. If a live cartridge is attached to the front of the weapon, it has the ability to
discharge sharp projectiles. These cartridges should be removed from
weapons submitted for examination.
3. The M26 Taser can still deliver an electrical shock with the cartridge
removed. Analysts should keep the safety engaged whenever possible,
keep his or her finger off of the trigger whenever possible, and avoid
touching the electrodes on the front of the weapon.

Limitations:
1. The M26 data log shows the trigger pulls in increments of 5 seconds. If
the user pulls the trigger once and releases it the M26 will fire for five
seconds and the data log will show one firing. If the user pulls the trigger
and holds it for longer than 5 seconds the unit will continue to fire and the
data log will show multiple firings. For example, if the user pulls and holds
the trigger longer than 5 seconds but less than 10 seconds, the data log

This document is not controlled if printed.

Page 32 of 53

will show two firings. If the user pulls and holds the trigger longer than 10
seconds but less than 15 seconds, the data log will show three firings.
2. There is no record of time changes stored on the M26, as there is with the
X26. If the user changes the time on the M26 the time change will be
reflected in the next firing entry, but there is no record stored when the
user changes the time.

Procedures:
1. Install the software from the M26 dataport download kit on the forensic
tower if it is not already installed.
2. Verify that the time and time zone information on the forensic tower are
correct.
3. To begin the acquisition process the Taser: must have the safety
engaged, the batteries must be in the unit, and the Data Port Plug must be
removed.
4. Connect one end of the 9 Pin serial cable to the serial port of the forensic
tower and the other end to the interface box.
5. Connect one end of the interface cable (blue cable) to the interface box
and the other end to M26 Taser data Port. The light on the interface box
will light up (green light) while the light on the M26 Taser will (depending
on the charge in the batteries) blink three times before staying lit or
continue to blink.
6. Open the Taser interface program and enter the number of the comm port
that the Taser is connected to and the password. The password can be
found written on the outside of the diskette in the M26 download kit.
7. Download the firing data.
8. Save the firing data to a file on the Forensic Tower.

References:
1. Operational Use of Logging Program V2.0 (found as the readme file on
the diskette in the M26 download kit)
2. Digital Evidence Unit Validation and Calibration Manual

Notes:
1. The following firing information will be displayed for the Taser: Line #,
date (mm/dd/yy), time (in military time), and day of the week for each
discharge.
2. During verification testing, when the trigger on the Taser was held for
more than 5 seconds, there were intermittent errors in the firing data (time
incrementing by 6 minutes on a 10-second trigger pull, a 7-second trigger
pull with only one entry instead of two, and an incorrect date on an entry
for a 12-second trigger pull).

This document is not controlled if printed.

Page 33 of 53

Title: X26 Taser Data Download Protocol

Version: 1.0

Introduction:
This procedure describes the steps to be taken by all personnel of the Triad
Lab’s Digital Evidence Unit in downloading the firing data from X26 model
Tasers.

Purpose:
The purpose of this procedure is to retrieve the firing data from X26 Tasers that
are submitted to the Laboratory for analysis. This protocol provides a procedure
for downloading this data without making changes to the data on the Taser.

Equipment:
1. Forensic Tower
2. USB data interface module from Taser International

Definitions:
1. USB data interface module – kit containing the hardware and software
needed to download the firing information from an X26 Taser.
2. USB DPM – connector from the interface module which plugs into the
battery compartment of the X26 Taser.

Precautions:
1. X26 Tasers are high energy weapons and should be handled with great
care.
2. If a live cartridge is attached to the front of the weapon, it has the ability to
discharge sharp projectiles. These cartridges should be removed from
weapons submitted for examination.
3. The X26 Taser can still deliver an electrical shock with the cartridge
removed. Analysts should keep the safety engaged whenever possible,
keep his or her finger off of the trigger whenever possible, and avoid
touching the electrodes on the front of the weapon.

Limitations:
None

Procedures:
1. Install the software from the USB data interface module on the forensic
tower if it is not already installed.

This document is not controlled if printed.

Page 34 of 53

2. Verify that the time and time zone information on the forensic tower are
correct.
3. Ensure the X26 safety switch is in the ON (SAFE) position and remove the
air cartridge.
4. Insert the USB cable into the computer. The USB DPM will illuminate red if
the cable is connected correctly.
5. Insert the USB DPM into the X26 Taser. After a few seconds the USB
DPM illumination will change from red to green and a “U” will appear on
the X26 CID.
6. Click on the “Taser X26 Dataport” desktop icon.
7. Check the Daylight Savings Time zone box if your time zone is currently
on daylight savings time.
8. Click the “Download X26” button1.
9. Select a range of dates to download, or choose “Download all firing data”
and click continue.
10. Save the firing data to a file on the Forensic Tower.

References:
1. Taser International Data Port User Manual V.15.5
2. Digital Evidence Unit Validation and Calibration Manual

Notes:
1. The following firing information will be displayed for the Taser: Sequence
#, GMT time, local time, duration (Secs), Temperature (deg. C), and
battery % for each discharge.
2. The X26 shows the total time in seconds that the trigger was pulled. If the
user pulls the trigger once and releases it, the X26 will shoot a 5 second
burst and 5 seconds will display on the data log. If the user manually
turns off firing before a full 5 seconds has elapsed, the number of seconds
that the unit fired will display on the data log. If the user pulls the trigger
and holds it for longer than 5 seconds, the unit will continue to fire and the
total number of seconds the trigger is held will display on the data log.
3. Duration is the total time the trigger was depressed without a break.
4. The temperature is the internal DPM temperature.
5. The Time Change Record is a log of all changes to the Taser’s internal
clock. If the internal clock has never been updated, the area is blank.
6. If the time on the computer does not match the time on the X26, a “Time
Synchronization error” window will appear. If this happens, press the
cancel button. DO NOT change the time on the X26 Taser.
7. If no “Time Synchronization error” window is displayed after the
“Download X26” button has been pressed, the Taser’s internal clock must
be checked. To check the Taser’s internal clock the sotware must be
exited after all data downloads are complete. The forensic workstation’s
clock must be set either forwards or backwards 12 hours to produce a
1
See notes 6 and 7 for procedures to follow based on the resulting screen after the
“Download X26” button is pressed.

This document is not controlled if printed.

Page 35 of 53

“Time Synchronization error”. Restart the software and press the

“Download X26” button. Compare the time displayed as the Taser’s
internal clock setting to real time (from a watch or other clock) and record
the difference (if any).

This document is not controlled if printed.

Page 36 of 53

Title: Taser Function Test Protocol

Version: 1.0

Introduction:
This procedure describes the steps to be taken by all personnel of the Triad
Lab’s Digital Evidence Unit in function testing M26 and X26 model Tasers.

Purpose:
The purpose of this procedure is to test Tasers that are submitted for analysis to
ensure that they are recording the firing information properly.

Equipment:
1. Forensic Tower
2. M26 dataport download kit from Taser International
3. USB data interface module from Taser International

Definitions:
1. M26 dataport download kit – kit containing the hardware and software
needed to download the firing information from an M26 Taser.
2. USB data interface module – kit containing the hardware and software
needed to download the firing information from an X26 Taser.

Precautions:
1. Tasers are high energy weapons and should be handled with great care.
2. If a live cartridge is attached to the front of the weapon, it has the ability to
discharge sharp projectiles. These cartridges should be removed from
weapons submitted for examination.
3. The Taser can still deliver an electrical shock with the cartridge removed.
Analysts should keep the safety engaged whenever possible, keep his or
her finger off of the trigger whenever possible, and avoid touching the
electrodes on the front of the weapon.

Limitations:
1. The M26 data log shows the trigger pulls in increments of 5 seconds. If
the user pulls the trigger once and releases it, the M26 will fire for five
seconds and the data log will show one firing. If the user pulls the trigger
and holds it for longer than 5 seconds, the unit will continue to fire and the
data log will show multiple firings. For example, if the user pulls and holds
the trigger longer than 5 seconds but less than 10 seconds, the data log

This document is not controlled if printed.

Page 37 of 53

will show two firings. If the user pulls and holds the trigger longer than 10
seconds but less than 15 seconds, the data log will show three firings.

Procedures:
1. Install the download software for the Taser model to be tested on the
forensic tower if it is not already installed.
2. Verify that the time and time zone information on the forensic tower are
correct.
3. Download the firing data from the weapon to be tested using the
procedures in the M26 Acquisition Protocol or the X26 Acquisition Protocol
(if the data has not been downloaded while working the case).
4. Set the time on the Forensic Tower to match the time on the Taser.
5. Remove the Taser from the Forensic Tower.
6. Replace the battery pack into an X26 Taser.
7. Discharge the weapon by pulling the trigger and holding it for less than 5
seconds. Record the time that the discharge occurred and the length of
time that the trigger was held.
8. Discharge the weapon by pulling the trigger and holding it for more than 5
seconds but less than 10 seconds. Record the time that the discharge
occurred and the length of time that the trigger was held.
9. Discharge the weapon by pulling the trigger and holding it for more than
10 seconds. Record the time that the discharge occurred and the length of
time that the trigger was held.
10. Download the firing data from the weapon to being tested using the
procedures in the M26 Acquisition Protocol or the X26 Acquisition
Protocol.
11. Compare the known discharge time and durations to the discharge times
and durations recorded on the Taser.
12. Compare the download data from before the function test and the
download data from after the function test. Ensure that none of the
information on previous firings changed during the function test.

References:
1. Operational Use of Logging Program V2.0 (found as the readme file on
the diskette in the M26 download kit)
2. Taser International Data Port User Manual V.15.5
3. Digital Evidence Unit Validation and Calibration Manual

Notes:
None

This document is not controlled if printed.

Page 38 of 53

Title: Evidence Search Protocol

Version: 1.0

Introduction:
This procedure describes the steps to be taken by all personnel of the Triad
Lab’s Digital Evidence Unit in searching computer evidence that is submitted to
the Laboratory.

Purpose:
The purpose of this procedure is to provide a systematic means of searching
digital evidence in order find the data of interest.

Equipment:
1. Forensic Tower, Laptop, or Portable Forensic Workstation
2. Approved Forensic Software

Definitions:
1. Forensic drive - Hard drive containing the operating system and all of the
forensic software that will be used in the examination
2. Target Drive – the hard drive that will be used in casework to receive
forensic images upon and upon which the processing of casework may be
performed.

Limitations:
None

Procedures:
1. Install the forensic drive and the target drive into the forensic tower and
boot the forensic tower from the forensic drive.
2. Run approved software to undelete any deleted files and recover files and
file fragments from unallocated space.
3. If the Analyst chooses to use EnCase as the examination software, the
forensic image of the evidence drive should be examined for the presence
of any deleted partitions on the hard drive. If any deleted partitions are
noted, these partitions should be recovered.
4. If the Analyst chooses to use EnCase as the examination software, the
forensic image of the evidence drive should be examined for the presence
of any deleted folders on the hard drive. Any deleted folders should be
recovered.

This document is not controlled if printed.

Page 39 of 53

5. If the Analyst chooses to use EnCase as the examination software, then a

signature analysis should be run on all of the files in the case prior to the
examination of these files.
6. If the Analyst chooses to use EnCase as the examination software, the
File Mounter EnScript should be run to mount any zipped or compressed
files so that the files contained inside can be examined.

Searching for Images:

1. Computer search software or graphics thumbnail software can be used to
view images on an image drive.
2. A file search can be run to find files with graphic or multimedia file
extensions (.jpg, .gif, .bmp, .mov, .mpg, .avi, etc.).
3. Examine files found for data useful to the investigation.
4. Make note of any files found that are relevant to the investigation.

Searching for Data:

1. Use approved forensic search software to perform keyword searches on
the image drive.
2. Enter in any relevant keywords (such as names, e-mail addresses, dates,
etc.) that may be pertinent to the investigation in order to find any data of
possible evidentiary value.
3. Examine all search hits for relevance to the investigation.
4. Make note of any data found that are relevant to the investigation.

Suspect Image Restoration:

1. At times it may be necessary to view the subject’s computer in a bootable
state, just as the suspect would have viewed it at the time it was in use. To
do this, it is acceptable to clone the suspect hard drive using a drive of the
same storage capacity or to restore an image file onto a target drive that
has the same storage capabilities as the suspect drive. This additional
image/clone drive can then be inserted into the suspect’s computer and
used to boot the hardware.
2. Another option is to utilize virtual imaging technology to spawn a virtual
computer using the image file of the suspect’s computer as the basis for
the virtual machine. This will allow the Analyst to examine the suspect’s
computer in a virtual environment that simulates the suspect’s computer in
its native state.

This document is not controlled if printed.

Page 40 of 53

Notes:
1. In EnCase: .asf, .max, .mpe, .mpeg, .mpg, .mov, .rm, .ram and .avi files as
well as image files in unallocated space are not shown in the gallery view.
These files should be searched for and viewed with external viewers.
2. EnCase does not display the contents of .zip files in the gallery view
unless the zip files are first mounted. The examiner should search for .zip
files. These files should be opened manually or with the File mounter
EnScript in EnCase and any images found inside examined. This can be
done by the examiner or recovered for examination by the submitting
officer.
3. EnCase does not display images that are attached to e-mail files (i.e.
Outlook Express and AOL e-mail files) prior to version 5. If images may be
important in a case and an Encase version prior to version 5 is being
used, the e-mail files should be recovered to the target drive. These files
can be examined by restoring the e-mails to an e-mail account on another
computer so that the images attached to the e-mail can be viewed. This
examination can be done by the examiner or recovered for examination by
the submitting officer.
4. Due to the size of modern hard drives, it is not possible to read all of the
data recovered in a case. Every effort should be made to search by
relevant dates or file types and search by relevant keywords in order to
find information pertinent to the case.
5. Microsoft Office 2007 documents are created differently from previous
versions of Microsoft Office. Office 2007 files are stored as zip files and
not as OLE documents. Therefore, in order to view the contents of these
files using EnCase, Office 2007 documents must be mounted like other
types of Zip files. If the Analyst chooses to use EnCase for analysis,
he/she must be aware of how EnCase handles these files [namely.
EnCase 6 requires the Analyst to select the “Mount Persistent” option
inside of the “File Mounter” EnScript to keep the files mounted after the
EnScript completes running. If you do not select this option, the files will
unmount as soon as the EnScript finishes running and you will manually
have to mount the files by right clicking and viewing file structure].
6. Search data that is fragmentary in nature (data that when manually carved
from inside another file structure or unallocated space does not make a
complete file or a file that can be viewed in its native format) must be
saved in Text format only. For example, when a search term is found
inside of a fragment of a web-based email that is located in unallocated
space, the Analyst should manually carve all HTML data related to the
email and save the manually carved data as a TXT file.
7. Manually carved file data should be reflective of the data type and where
the data was carved from. For example, HTMLFragment_Offset2346C.txt
would indicate that the carved file contains fragmentary HTML data found
at hex offset 2346C on the suspect’s drive.

This document is not controlled if printed.

Page 41 of 53

Title: Results Protocol

Version: 1.0

Introduction:
This procedure describes the steps to be taken by all personnel of the Triad
Lab’s Digital Evidence Unit in generating case results to be returned to the
submitting agency and the prosecutor.

Purpose:
The purpose of this procedure is to provide guidelines for preparing case results
to be returned to the submitting agency and the prosecutor that are consistent
from case to case.

Equipment:
1. Forensic Tower

Definitions:
None

Limitations:
Only CD-R, DVD-R or DVD+R disks may be used to copy recovered files and the
forensic image. CD-RW or DVD-RW disks should never be used because the
data on the disk may be altered.

Procedures:
1. At the completion of an examination the evidence files in the case must be
verified. This can be accomplished by either creating a new EnCase case
file with the evidence files added to this case, or by re-hashing the image
files using approved hashing software. This process must be completed
in order to ensure that the hash values of the evidence files verify
completely. If for any reason the hash values do not verify, this should be
reported to the section supervisor immediately.
2. Make a copy of the files which were found to be of evidentiary value onto
a CD or DVD. If the Analyst chooses to use FTK then any bookmarked
files must be exported as part of the electronically generated report from
FTK. Any CD or DVD that has apparent pornographic images of children
copied on it as part of the examination will be labeled to reflect the
following:
“This media may contain contraband and is intended for use by
law enforcement in an official criminal investigation.

This document is not controlled if printed.

Page 42 of 53

Dissemination of this material may result in a criminal

violation.”
3. A file copy of the CDs or DVDs containing files recovered in the case
should be produced and retained in the Laboratory in order to refresh the
memory of an Analyst at a later date. This CD is not evidence. If further
examination is needed in the case, either the original evidence or the
forensic image must be returned to the Laboratory to continue the
examination.
4. Other examination documentation will be stored within the FLAIR system.
5. Make a copy of the forensic image onto a set of CDs or DVDs. These CDs
or DVDs will be returned to the submitting agency. If any further analysis
needs to be done, the set of CDs or DVDs can be returned to the lab.
6. The target hard drive used in the case may be wiped and reused in future
case examinations. However, if the case worked: (1) is a highly publicized
case, (2) is an extremely violent crime, or, (3) is exceptionally complicated
to the point that restoring the image files from the CDs or DVDs would not
be sufficient to recreate the work product for the case; then it is
permissible to store the case target drive, at the discretion of the section
supervisor, until such time that the case has been adjudicated, or, for a
indeterminate amount of time necessary for the case to be disposed of in
the court system.
7. Evidence determined to have pornographic images of children on it will be
password protected. All copies of the media will be labeled:
“This media may contain contraband and is intended for use by
law enforcement in an official criminal investigation.
Dissemination of this material may result in a criminal violation.”
8. A laboratory report should be created in FLAIR. This report should:
a. Document the types of pertinent files found.
b. Document where the pertinent files were found (logical files,
deleted files, slack space, unallocated space).
c. Document the importance of the pertinent files found
d. Follow all other Section and Bureau report writing policies.

Notes:
1. When a copy of the work product is made on a CD or DVD for retention in
the Laboratory and this media contains possible pornographic images of

This document is not controlled if printed.

Page 43 of 53

children, the data on this media must be password protected to prevent

any unauthorized use of these files.
2. File copy media will be kept in a locked cabinet and a log will be kept of
the individuals that place the media in the cabinet.
3. In cases where the forensic image is exceptionally large (image files that
are many Gigabytes in size) it may not be practical to copy the image to
CDs or DVDs. In these cases the analyst may elect, at his or her
discretion, to eliminate this procedure. If so, the report must clearly state
that no copy of the forensic image was prepared and that the original
computer must be re-submitted to the lab in order for any additional
analysis to be conducted.
4. When creating a CD or DVD, the session must be finalized. This will help
prevent accidental damage to the CD.

This document is not controlled if printed.

Page 44 of 53

Title: Approved Software for Forensic Computer Examinations

Version: 1.0

Any approved forensic software may be used as necessary, at the analyst’s

discretion, during an examination. This is a list of the software which is approved
for use in the Triad Lab’s Digital Evidence Unit.

Hard Drive Wiping

• EnCase
• Wipe Drive
• Symantec GDisk
• Wiper

Hard Drive Wipe Verification

• Forensic Tool Kit
• CHKSUM

Hard Drive Imaging

• FTK Imager
• EnCase
• SnapBack
• DD/DCFLDD/SDD

Anti-Virus Software
• Trend Micro OfficeScan
• Symantec/Norton Anti-Virus
• Other anti-virus software approved by Department of Justice ITD

Deleted File Recovery

• Norton Unerase
• Forensic Tool Kit
• EnCase

Slack and Unallocated Space Recovery

• Forensic Tool Kit
• EnCase
• Norton DiskEdit

Password Recovery
• Password Recovery Tool Kit (PRTK)

Optical Media Processing

• CD/DVD Inspector

This document is not controlled if printed.

Page 45 of 53

System Image Creation/Restoration

• Symantec/Norton Ghost

Data Carving
• Forensic Tool Kit
• EnCase
• DataLifter

Text String Searches

• Forensic Tool Kit
• EnCase
• Windows ‘Find’ function

Text Viewers
• Forensic Tool Kit
• EnCase
• Quick View Plus
• Microsoft Word
• Wordpad
• Notepad
• Outlook Express
• Adobe Acrobat
• Editpad

Graphics Viewers
• Forensic Tool Kit
• EnCase
• Thumbs Plus
• Quick View Plus
• Outlook Express
• AOL
• IrfanView
• XnView

Movie Viewers
• Windows Media Player
• VLC
• QuickTime

Internet/IM History Analysis

• Forensic Tool Kit
• EnCase
• Net Analysis
• Neda-Nama Yahoo Messenger Archive Decoder

This document is not controlled if printed.

Page 46 of 53

Title: Glossary of Terms

Version: 1.0
BIOS Basic Input Output System. A number of machine code routines
that are stored in ROM and available for execution at boot time.
Browser Browser is short for Web Browser. A browser is a computer
program that locates and displays pages from the Internet.
Cache A computer’s cache is an area where the computer can
temporarily store frequently used data that would otherwise have
to be loaded from a slower source. The computer’s cache speeds
up the operation of the computer.
CDFS The standard used to describe the file structure on a CD.
Cluster bitmaps Used by NTFS to keep track of free clusters by using a bitmap.
This file contains one bit for every cluster on the volume.
Clusters A group of sectors in a logical volume that is used to store files
and folders.
Compressed file A file that has been reduced in size via one or more compression
techniques.
Compression A method of storing files resulting in great savings in disk
storage space. Compressed blocks are checked for validity in the
same way as uncompressed one.
Cookie A cookie is a short piece of data that Web servers place on your
computer to help identify Web users. Cookies can be used by
Web servers to track your Internet browsing habits.
Cylinder The set of tracks on the drive platters that are at the same head
position.
Disk An actual piece of hardware that you can hold in your hand. It
could be a floppy disk, hard disk, ZIP disk, etc.
Disk Operating System - usually refers to MS-DOS. Operating
DOS system which was developed by Microsoft for IBM compatible
PCs. Still used today to help control operation on computers,
operating beneath the Windows environment.
Drive Geometry The number and position of the bytes, sectors, tracks located on
the physical drive.
EXT2 The primary file system used on the Linux operating system.
Fdisk DOS program that provides information about and editing of the
partitions on a hard drive.
File entries Each folder contains starting cluster and can be expanded or
contracted as files are added or removed from the folder. Each
file in the folder is represented by a 32 byte entry in the table.
The content of a folder “file” is an array of records containing
information about the files in the folder. Each entry in the folder
can be either a file or another folder. In this way a “tree”
structure can be built.
File slack The space between the logical end and the physical end of a file.

This document is not controlled if printed.

Page 47 of 53

File signature A few bytes at the beginning of some files (such as graphic or
document files) that constitute a unique signature of the file type,
regardless of the file extension used.
File allocation table (FAT) An array of numbers that sits near the beginning of a DOS
volume. The length of the numbers is determined by the size of
the volume. Each entry in the FAT corresponds directly to one
cluster and there is always one FAT entry for every cluster.
Format DOS command used to prepare a storage medium (hard drive,
floppy disk) for reading and writing. Format does not erase data
on the disk. It checks for bad sectors and resets the internal
address tables (FAT).
Head A device that ride very close to the surface of the platter and
allows information to be read from and written to the platter.
Hyperlink A hyperlink is a text phrase (which often is a different color than
the surrounding text) or a graphic that conceals the address of a
Web Site. Clicking on the hyperlink takes you to the Web Site.
Image drive Same as the target drive.
Internet The Internet is a world wide network with more than 100 million
computer users that are linked for the exchange of data, news,
conversation and commerce. The Internet is a decentralized
network that no one person, organization or country controls.
ISDN Line Integrated Services Digital Network - A phone line that connects
two computers to transmit a digital signal between them, as
opposed to the analog signal transmitted over normal phone
lines. This allows data to be transferred more than twice as fast
as with an analog phone line with a 56kbps modem.
Logical file size The exact size of a file in bytes and is the number represented in
the properties for a file. This is different than physical file size.

Logical drive A drive named by a DOS drive specifier, such as C: or D:. A

single physical drive can act as several logical drives, each with
it’s own specifier.
Master boot record The very first sector of a physical disk (sector zero) is referred to
as the MBR It contains machine code that allows the computer to
find the partition table and the operating system.
MD5 hash A 128 bit number that uniquely describes the contents of a file.
This is the standard hash code used in forensics.
NTFS NT File System. The file descriptors for for every file on an
NTFS volume are stored in the Master File Table.
Partition table Describes the first four partitions, their location on the disk, and
which partition is bootable.
PGP Pretty Good Privacy - Program used to encrypt data on a
computer, such as messages on the Internet.
Physical drive A single disk drive. A single physical drive may be divided into
multiple logical drive.

This document is not controlled if printed.

Page 48 of 53

Physical file size The amount of space that a file occupies on a disk. A file or
folder always occupies a whole number of clusters even if it does
not completely fill that space.
Plug-Ins A piece of computer hardware or software that adds a specific
feature or service to a larger system.
RAM slack The space from the end of the file to the end of the containing
sector. Before a sector is written to disk, it is stored in a buffer
somewhere in RAM.
RAM Random Access Memory. Volatile read/write memory whose
contents are lost when the power is turned off.
ROM Read Only Memory. Chips that contain a permanent program
that is burned on the chip at the factory and maintained when the
power is turned off. The information on these chips can be read
but not written to.
Root folder Stored in a known location, this is a tree structure that supports
files and folders within folders to an arbitrary depth.
Sector A group of bytes within a track and is the smallest group of bytes
that can be addressed on a drive. The number of bytes in a sector
can vary, but is almost always 512.
Spam Unsolicited “ junk “ e-mail which is sent to persons who did not
request it. It is usually commercial e-mail.
Suspect drive The drive (or drives) that are removed from a suspect’s computer
or in the possession of the suspect that will be imaged for later
analysis. This drive is never analyzed; rather is copied so the
analysis can be conducted on the image.
System drive The forensic hard drive used to boot the forensic tower. This is
the drive which contains the forensic search tools.
Target drive The drive that information from the suspect drive is being written
to.
Track Each platter on a disk is divided into thin concentric bands called
tracks. Tracks are established when the disk is low level
formatted.
Upload To send or transmit data from your computer to another
computer or network.
URL Universal Resource Locator - An address at which documents or
other resources can be found on the Web.
Volume A mounted partition. There may be only one volume on a floppy
or ZIP disk, or there may be several on a hard disk.
World Wide Web A group of Internet servers that support HTML formatting. The
World Wide Web is one part of the Internet.

This document is not controlled if printed.

Page 49 of 53

Title: References
Version: 1.0

• AccessData’s Ultimate Toolkit BootCamp Training Manual: AccessData

• AccessData’s Windows Forensics Training Manual: AccessData Corp.:

• AccessData’s Applied Decryption Training Manual: AccessData Corp.:

• EnCase Computer Forensics II Training Manual: Guidance Software, Inc.:

• Incident Response: Investigating Computer Crime: Kevin Mandia and

Christ Prosise: Osborne/McGraw Hill, New York: 2001: ISBN 0-07-
213182-9

• Scene of the Cybercrime: Computer Forensics Handbook: Debra Littlejohn

Shinder: Syngress Publishing Inc. , New York: 2002: ISBN 1-931836-65-5

• DOS for Dummies: Greg Harvey: IDG Books Worldwide, New York: 1998:
ISBN 0-7645-0368-5

• EnCase Certified Examiner Study Guide: Steve Bunting and William Wei:
Wiley Publishing, Inc, Indianapolis, IN: 2006: ISBN 0-7821-4435-7

• Hacking Exposed: Computer Forensics Secrets and Solutions: Chris

Davis, Aaron Philipp, and David Cowen: Osborne/McGraw Hill, New York:
2005: ISBN 0-07-225675-3

• Computer Forensics: Computer Crime Scene Investigation: John R.

Vacca: Charles River Media, Hingham, MA: 2002: ISBN 1-58450-018-2

• Linux in a Nutshell: Ellen Siever: O’Reilly Press, Sebastapol, CA: 1999:

ISBN 1-56592-585-8

• Linux Desk Reference: Second Edition: Scott Hawkins: Prentice Hall PTR,
Upper Saddle River, NJ: 2002: ISBN 0-13-061989-2

• How Computers Work, Millennium Edition: Ron White: Que Books, ,

Indianapolis, IN: 1999: ISBN 0-7897-2112-0

This document is not controlled if printed.

Page 50 of 53

• Mac OS X, iPod, and iPhone Forensic Analysis DVD Toolkit: Ryan

Kubasiak and Sean Morrissey: Syngress Publishing Inc. , New York:
2009: ISBN 978-1-59749-297-3

• NetAnalysis User Manual: Craig Wilson: Digital Detective Inc.: Copyright

2004-2005

This document is not controlled if printed.

Page 51 of 53

This document is not controlled if printed.

Page 52 of 53

C How Computers Work, Millennium Edition: Ron White: Que, A Division of

Macmillan Computer Publishing, USA: 1999: ISBN 0-7897-2112-0

C I-Way Robbery, Crime on the Internet: William C. Boni and Dr. Gerald L.
Kovacich: Butterworth-Heinemann: 1999: ISBN 0-7506-7029-0

C Microsoft MS-DOS, User’s Guide and Reference Version 5.0: Microsoft

Corporation: Document No. SY07661/20885-0391

C Upgrading and Repairing PCs, 12th Edition: Scott Mueller: Que, A Division
of Macmillan Computer Publishing, USA: 2000: ISBN 0-7897-2303-4

C Using Microsoft Windows 95, Fourth Edition: Kathy Ivens: Que, A Division
of Macmillan Computer Publishing, USA: 1998: ISBN 0-7897-1573-2

This document is not controlled if printed.

Page 53 of 53

Title: Revision Notes

Version 1.0 – Version 1.0 of this document was completed on June 30, 2009.
This document is based upon similar documentation from the SBI’s Raleigh
Crime Lab, but has been modified to suit the needs and conditions of the Triad
Regional Crime Laboratory’s Digital Evidence Unit.

This document is not controlled if printed.

Freebiefile Freebies
No ratings yet
Freebiefile Freebies
788 pages
Valid User Agent Data
No ratings yet
Valid User Agent Data
342 pages
Fdocuments - in - Computer Forensics 5584a063871ca
No ratings yet
Fdocuments - in - Computer Forensics 5584a063871ca
63 pages
S2-Digital Forensics Life Cycle
No ratings yet
S2-Digital Forensics Life Cycle
34 pages
Digital Forensic IBM Slides
No ratings yet
Digital Forensic IBM Slides
133 pages
Hardware Full Course
100% (1)
Hardware Full Course
517 pages
Evidence Handling
No ratings yet
Evidence Handling
18 pages
Digital Forensics Assessment 2 Forensics Report
No ratings yet
Digital Forensics Assessment 2 Forensics Report
11 pages
Basic CYBER Forensics
No ratings yet
Basic CYBER Forensics
64 pages
Module 02 Computer Forensics Investigation Process
No ratings yet
Module 02 Computer Forensics Investigation Process
74 pages
Unit 3
No ratings yet
Unit 3
123 pages
Digital Forensic Science
100% (1)
Digital Forensic Science
42 pages
Message
No ratings yet
Message
9 pages
Computer Investigator
No ratings yet
Computer Investigator
70 pages
Module 8 PDF
No ratings yet
Module 8 PDF
26 pages
Chapter 4
No ratings yet
Chapter 4
25 pages
DDigital Forensics-Unit 2
100% (1)
DDigital Forensics-Unit 2
32 pages
Module 02 - Computer Forensics Investigation Process - AG - 25
No ratings yet
Module 02 - Computer Forensics Investigation Process - AG - 25
53 pages
Mac Studio 2022
No ratings yet
Mac Studio 2022
20 pages
CDI6c - Cybercrime Investigation
No ratings yet
CDI6c - Cybercrime Investigation
39 pages
Computer Forensics
No ratings yet
Computer Forensics
41 pages
FastRawViewer Manual
No ratings yet
FastRawViewer Manual
232 pages
Module 1 - Forensic Process
No ratings yet
Module 1 - Forensic Process
21 pages
FINAL Forensic Computer and Environmental Laws and Protection FINAL
No ratings yet
FINAL Forensic Computer and Environmental Laws and Protection FINAL
82 pages
05-Duplication and Preservation of Digital Evidence
No ratings yet
05-Duplication and Preservation of Digital Evidence
7 pages
ICS443-Digital Forensics Week 6 (10-14 Nov 2024)
No ratings yet
ICS443-Digital Forensics Week 6 (10-14 Nov 2024)
11 pages
Good Forensic Practice
No ratings yet
Good Forensic Practice
38 pages
Unit 3
No ratings yet
Unit 3
15 pages
Computer Forensic
No ratings yet
Computer Forensic
4 pages
Basic CYBER Forensics
100% (1)
Basic CYBER Forensics
64 pages
Module 3 - Buiding-Environments-For-Digital-Forensics
No ratings yet
Module 3 - Buiding-Environments-For-Digital-Forensics
50 pages
User Agent
No ratings yet
User Agent
31 pages
FALLSEM2023-24 CSE4004 ETH VL2023240103594 2023-09-01 Reference-Material-I
No ratings yet
FALLSEM2023-24 CSE4004 ETH VL2023240103594 2023-09-01 Reference-Material-I
34 pages
Computerforensics 130511062535 Phpapp02
No ratings yet
Computerforensics 130511062535 Phpapp02
63 pages
Puter Forensics
No ratings yet
Puter Forensics
27 pages
FCI
100% (2)
FCI
48 pages
EHDFchapter 3
No ratings yet
EHDFchapter 3
31 pages
Computer Forensics WPM Final
No ratings yet
Computer Forensics WPM Final
24 pages
Seinio Tweulongelwa Ndeiluka - 2126922
No ratings yet
Seinio Tweulongelwa Ndeiluka - 2126922
12 pages
Module 16 Notes
No ratings yet
Module 16 Notes
3 pages
Week 1 Digital Forensics Overview
No ratings yet
Week 1 Digital Forensics Overview
25 pages
MM 2020
No ratings yet
MM 2020
138 pages
Group 3 Evidence Acquisition Final
No ratings yet
Group 3 Evidence Acquisition Final
8 pages
Forensic Evidence and Investigation Method
No ratings yet
Forensic Evidence and Investigation Method
11 pages
Apple Project PDF
No ratings yet
Apple Project PDF
76 pages
Semi Final Lecture Part2
No ratings yet
Semi Final Lecture Part2
72 pages
Module 4-1 - Collecting-Evidence
No ratings yet
Module 4-1 - Collecting-Evidence
25 pages
Boot Camp Beta 1.2: Installation & Setup Guide
No ratings yet
Boot Camp Beta 1.2: Installation & Setup Guide
26 pages
RACU Lecture
No ratings yet
RACU Lecture
28 pages
Httpsdoc 0o 4c Docs - Googleusercontent.comdocssecuresca1snshmrkfhcjekdjutn7hvlgg6p6q92btetfl2cfiha48skporsu2qref11t5es166
No ratings yet
Httpsdoc 0o 4c Docs - Googleusercontent.comdocssecuresca1snshmrkfhcjekdjutn7hvlgg6p6q92btetfl2cfiha48skporsu2qref11t5es166
2 pages
User Agents Part 1
No ratings yet
User Agents Part 1
3 pages
Operating System Installation
40% (5)
Operating System Installation
42 pages
User Agents
No ratings yet
User Agents
29 pages
User Agents Part 3
No ratings yet
User Agents Part 3
3 pages
Xserve - ServiceMan (Early2009)
No ratings yet
Xserve - ServiceMan (Early2009)
167 pages
Seizing Electronic Evidence: Best Practices - Secret Service Electronic Crime Scene Investigation - NIJ
No ratings yet
Seizing Electronic Evidence: Best Practices - Secret Service Electronic Crime Scene Investigation - NIJ
70 pages
Email List
No ratings yet
Email List
27 pages
R3 Software Untitled
No ratings yet
R3 Software Untitled
3 pages
Forensic Data Acquisition Tools
100% (1)
Forensic Data Acquisition Tools
45 pages
Preservation of Digital Evidence: Preserving The Digital Crime Scene
No ratings yet
Preservation of Digital Evidence: Preserving The Digital Crime Scene
9 pages
FINALS
No ratings yet
FINALS
5 pages
Computer Forensics
No ratings yet
Computer Forensics
1 page
Mac Forensics
No ratings yet
Mac Forensics
72 pages
CF - Unit 3
No ratings yet
CF - Unit 3
10 pages
Forensics 1
No ratings yet
Forensics 1
49 pages
ArtiosCAD 10 System Requirements
No ratings yet
ArtiosCAD 10 System Requirements
5 pages
Computer Forensics
No ratings yet
Computer Forensics
48 pages
Ques3 (01001012016)
No ratings yet
Ques3 (01001012016)
2 pages
EFI and SMC Firmware Updates For Intel-Based Macs
No ratings yet
EFI and SMC Firmware Updates For Intel-Based Macs
2 pages
Diagnostics
No ratings yet
Diagnostics
25 pages
Fast Track Pro Drivers Read Me
No ratings yet
Fast Track Pro Drivers Read Me
3 pages
Logger Pro 3 Release Notes: Basic Data Collection or Graphing, With No Video Capture
No ratings yet
Logger Pro 3 Release Notes: Basic Data Collection or Graphing, With No Video Capture
23 pages
Inventor 2013 System Requirements en Us
No ratings yet
Inventor 2013 System Requirements en Us
3 pages
Cyber Forensics Field Manual, Second Edition
100% (1)
Cyber Forensics Field Manual, Second Edition
1 page
BIMx
No ratings yet
BIMx
20 pages
Best Practices: For Seizing Electronic Evidence
100% (1)
Best Practices: For Seizing Electronic Evidence
24 pages
Computer Hacking Forensic Investigator Version 4 (CHFI) : Course Introduction 6m Computer Forensics in Today's World
No ratings yet
Computer Hacking Forensic Investigator Version 4 (CHFI) : Course Introduction 6m Computer Forensics in Today's World
34 pages
Forensic Examination of Digital Evidence
No ratings yet
Forensic Examination of Digital Evidence
8 pages
Gaussian
No ratings yet
Gaussian
4 pages
Whats New in Artmatic 4.6
No ratings yet
Whats New in Artmatic 4.6
5 pages
216SE Tutorial 1 First Responder Solutions v1.0
No ratings yet
216SE Tutorial 1 First Responder Solutions v1.0
9 pages
Datasheet Freecom Dual Drive Network Center en
No ratings yet
Datasheet Freecom Dual Drive Network Center en
2 pages
Installing Aircrack-Ng From Source
No ratings yet
Installing Aircrack-Ng From Source
10 pages
PL2303TA USB-to-Serial Bridge Controller Migration Guide Application Note
No ratings yet
PL2303TA USB-to-Serial Bridge Controller Migration Guide Application Note
4 pages
Digital Forensics - Evidence Preservation
No ratings yet
Digital Forensics - Evidence Preservation
2 pages
NET 803 Review
No ratings yet
NET 803 Review
10 pages
Computer Hacking Forensic Investigator
100% (1)
Computer Hacking Forensic Investigator
20 pages
Accelerated Computing With HIP: Second Edition
From Everand
Accelerated Computing With HIP: Second Edition
Yifan Sun
No ratings yet
Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide
From Everand
Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide
Allen Lee
4.5/5 (6)
TensorFlow Developer Certificate Exam Practice Tests 2024 Made Easy
From Everand
TensorFlow Developer Certificate Exam Practice Tests 2024 Made Easy
Mr Troy
No ratings yet

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.