Evidence collection

Evidence collection plays a vital role to identify and access the data from various sources in the cloud
environment for forensic investigation. The evidence is no longer stored in a single physical host and their data
are distributed across a different geographical area. So, if a crime occurs, it is very difficult to identify the
evidence. The evidence is collected from various sources such as router, switches, server, hosts, VMs, browser
artifacts, and through internal storage media such as hard disk, RAM images, physical memory, etc., which are
under forensic investigation. Evidence is also collected through the analysis of log files, cloud storage data
collection, Web browser artifacts, and physical memory analysis.
How Digital Devices are Collected
1. There are general best practices, developed by organizations like SWGDE and NIJ, to properly seize devices
and computers.
2. Once the scene has been secured and legal authority to seize the evidence has been confirmed, devices can be
collected.
3. Any passwords, codes or PINs should be gathered from the individuals involved, if possible, and associated
chargers, cables, peripherals, and manuals should be collected.
4. Thumb drives, cell phones, hard drives and the like are examined using different tools and techniques, and this
is most often done in a specialized laboratory.
5. First responders need to take special care with digital devices in addition to normal evidence collection
procedures to prevent exposure to things like extreme temperatures, static electricity and moisture.
 Evidence collection
1. Evidence collection from computer
➢ To prevent the alteration of digital evidence during collection, first responders should first document any
activity on the computer, components, or devices by taking a photograph and recording any information on the
screen.
➢ Responders may move a mouse (without pressing buttons or moving the wheel) to determine if something is on
the screen.
➢ If the computer is on, calling on a computer forensic expert is highly recommended as connections to criminal
activity may be lost by turning off the computer.
➢ If a computer is on but is running destructive software (formatting, deleting, removing or wiping information),
power to the computer should be disconnected immediately to preserve whatever is left on the machine.
➢ Office environments provide a challenging collection situation due to networking, potential loss of evidence
and liabilities to the agency outside of the criminal investigation. For instance, if a server is turned off during
seizure that is providing a service to outside customers, the loss of service to the customer may be very
damaging.
➢ In addition, office equipment that could contain evidence such as copiers, scanners, security cameras, facsimile
machines, pagers and caller ID units should be collected.
Evidence collection from a mobile phone
• In digital forensic evidence collection from a mobile phone, we employ a variety of specialized tools and
techniques to ensure the integrity and admissibility of the data. Here are some key aspects:

• Forensic Imaging: We create a complete binary copy of the device's data without altering any information,
using advanced imaging solutions.
• Use of Write Blockers: To prevent any accidental data modification, we connect the mobile device through a
write blocker during the data extraction process.
• Data Recovery: We utilize specialized software to recover deleted files and hidden data that could be crucial
to the investigation.
• Cryptographic Analysis: If the data is encrypted, we apply cryptographic analysis tools to decrypt the content,
allowing us to access vital information.
• Maintaining Chain of Custody: Throughout the process, maintaining a strict chain of custody is crucial to
ensure that the evidence collected is legally sound and usable in court.
Evidence Collection From IoT
Evidence Collection From IoT
 Evidence Collection From IoT
• Wearable Devices : Given that smartwatches are employed in various applications ranging from Global
Positioning System (GPS) to finical transactions, they are an excellent source of potential digital evidence.
Wearable devices collect sensitive data such as location, healthcare and communications. Also, a paired
wearable device can work as a duplicate source of evidence if the original device is inaccessible
• Mobile Devices: Smartphones or mobile devices are highly adopted by the majority of people. They become
like hand- held interconnected processers. Most new mobile devices are standardized either Android or iOS
devices,
• Smart Home : The IoT enables all different objects and devices to interconnect and communicate over the
Internet. New devices such as microwave, fridge, oven, camera, TV, etc. can be connected and communicate
with people over the Internet. These devices collect and store various kinds of data such as audio, video, and
logs of the actions of users in their surroundings. These data can be used as valuable evidence of a crime;
however, data may be stored on the device itself or can be requested from the service provider such as
Amazon or Google. In addition, nowadays there are several commercial smart home devices that are equipped
with AI such as Apple’s Siri, Amazon’s Alexa, Microsoft’s Cortana, and Google’s Assistant.
 Evidence Collection From IoT
• Logs: Logs are a significant source of evidence in the forensic analysis process. In the IoT system, most
devices have limited storage capabilities which make data to be overwritten after a short time. So, logs are
used as a means to capture a device’s state. Logs encompass forensically valuable information. If the
investigators failed to obtain disk-related data, they would obtain the device’s logs.
• Connected Car : Basically, a connected car refers to the car that uses the Internet connectivity to manage and
control main functions remotely using a smartphone, tablet or computer. Currently, the connected car involves
digital systems to monitor car health, listen or watch media and operate hands-free personal devices. A
connected car can be attacked either to steal it or cause harm. There are various incidents where connected
cars were attacked and cause damage. A connected car can be used as a good source of evidence in which an
investigator can use GPS devices, telematics units, and car infotainment systems to collect digital evidence.
 Evidence Collection From Cloud
• Network traffic mirroring involves replicating all of the traffic passing through a particular point in the
network so that it can be analyzed later. This is an important tool for investigating potential security incidents,
as it allows analysts to see exactly what was happening on the network at the time of the incident.
• Packet capture capabilities give analysts access to all the data in individual packets passing through the
network. This data can be used to reconstruct what happened on the network and identify any suspicious or
malicious activity.
• Flow log data can create network traffic behavioral models. This data can be used to identify anomalies in
network traffic patterns that could indicate a security incident. Flow log data can also be used to track data
movement within an organization’s network, making it a valuable tool for managing data security.
• Hibernating (an open source object relational mapping (ORM) tool that provides a framework to map object-
oriented domain models to relational databases for web applications) a workload is another useful technique
for evidence acquisition. When a workload is hibernated, all of its state information is preserved so that it can
be resumed later. This includes any open files, active connections, and running processes.
• Capturing IaaS OS and data drives can provide analysts with access to critical evidence that may be
required for an investigation.
 Evidence collection
Cloud log analysis:
Cloud log analysis helps to identify the source of evidence generated from various devices such as the router,
switches, server, and VM instances and from other internal components, namely hard disk, RAM images, physical
memory, log files etc., at different time intervals. The information about different types of attacks is stored in
various log files such as application logs, system logs, security logs, setup logs, network logs, Web server logs,
audit logs, VM logs, etc., which are given as follows:

• Evidence collection for cloud storage

Collecting the evidence from VM image to access the cloud storage account, using packet analysis tools such as
Ethernet cap, Wireshark tool, Burp suite, etc. to capture packets between the client and server
Collecting evidence from VM browser such as Google Chrome, chromium browser, Internet Explorer Apple,
safari, Mozilla, firefox etc. Collecting the evidence from cloud storage namely, user account and password
Collecting the evidence from client software to access the VM hard drive and also to synchronize the user
account to retrieve the files and folders in VMs.
• Evidence collection for cloud log analysis
Collecting the evidence from various sources in VM as log files, namely network log, access log, authentication
log, error log, database log, etc. and through network analysis tools such as Wireshark, Snort, Snappy tool, Burp
Suite, etc.
 Evidence collection : Cloud log analysis
• Application log is created by the developers through inserting events in the program. Application logs assist
system administrators to know about the situation of an application running on the server.
• System log contains the information regarding date and time of the log creation, type of messages such as debug,
error, etc., system-generated messages related to the occurrence, and processes that are affected by the occurrence
of an event.
• Firewall log provides information related to source routed packets, rejected IP addresses, outbound activities from
internal servers, and unsuccessful logins.
• Network log contains detailed information related to different events that happened on the network. The events
include recording malicious traffic, packet drops, bandwidth delays, etc. The network administrator monitors and
troubleshoots daily activities by analyzing network logs for different intrusion attempts.
• Web server log records entries related to the Web pages running on the Web server. The entries contain history for
a page request, client IP address, date and time, HTTP code, and bytes served for the request.
• Audit log records unauthorized access to the system or network in a sequential order. It assists security
administrators to analyze malicious activities at the time of attack. The information in audit log files includes
source and destination addresses, user login information, and timestamp.
• VM log records information specific to instances running on the VM, such as startup configuration, operations,
and the time VM instance finishes its execution. It also records the number of instances running on VM, the
execution time of each application, and application migration to assist CSP in finding malicious activities that
happen during the attack.
 Chain of Custody
Chain of custody refers to the documentation that shows the people who have been entrusted with the evidence.
These would be
1. People who have seized the equipment
2. People who are in charge of transferring the evidence from the crime scene to the forensic labs.
3. People in charge of analyzing the evidence, and so on.

Some key elements that require documentation:

➢ How the evidence was collected
➢ When was it collected (e.g. Date, Time)
➢ How was it transported
➢ How was it tracked
➢ How was it stored (for example, in secure storage at your facility)
➢ Who has access to the evidence
Important Points to remember for Fool-proof Chain of Custody

• Always accompany evidence with their chain of custody forms.

• Give evidence positive identification at all times that is illegible and written with permanent ink
• Establishing the integrity of the seized evidence through forensically proven procedure-”hashing”
• Hashing helps the Ayo to prove the integrity of the evidence.
• Similarly, the seized original data can be continued to be checked for its integrity by comparing its hash value,
identify any changes to it.
Fig: Chain of custody form
 Evidence Analysis
How and Where the Analysis is Performed
Exploiting data in the laboratory: Once the digital evidence has been sent to the laboratory, a qualified analyst will
take the following steps to retrieve and analyze data:
1. Prevent contamination: It is easy to understand cross contamination in a DNA laboratory or at the crime
scene, but digital evidence has similar issues which must be prevented by the collection officer. Prior to
analyzing digital evidence, an image or work copy of the original storage device is created. When collecting
data from a suspect device, the copy must be stored on another form of media to keep the original pristine.
Analysts must use “clean” storage media to prevent contamination or the introduction of data from another
source. For example, if the analyst was to put a copy of the suspect device on a CD that already contained
information, that information might be analyzed as though it had been on the suspect device. Although digital
storage media such as thumb drives and data cards are reusable, simply erasing the data and replacing it with
new evidence is not sufficient. The destination storage unit must be new or, if reused, it must be forensically
“wiped” prior to use. This removes all content, known and unknown, from the media.
 Evidence Analysis
• Isolate Wireless Devices: Cell phones and other wireless devices should be initially examined in an isolation chamber, if
available. This prevents connection to any networks and keeps evidence as pristine as possible. The Faraday bag can be
opened inside the chamber and the device can be exploited, including phone information, Federal Communications
Commission (FCC) information, SIM cards, etc. The device can be connected to analysis software from within the
chamber. If an agency does not have an isolation chamber, investigators will typically place the device in a Faraday bag
and switch the phone to airplane mode to prevent reception.
• Install write-blocking software: To prevent any change to the data on the device or media, the analyst will install a block
on the working copy so that data may be viewed but nothing can be changed or added.
• Select extraction methods: Once the working copy is created, the analyst will determine the make and model of the
device and select extraction software designed to most completely “parse the data,” or view its contents.
• Submit device or original media for traditional evidence examination: When the data has been removed, the device is sent
back into evidence.
• Proceed with investigation: At this point, the analyst will use the selected software to view data. The analyst will be able
to see all the files on the drive, can see if areas are hidden and may even be able to restore organization of files allowing
hidden areas to be viewed. Deleted files are also visible, as long as they haven’t been over-written by new data. Partially
deleted files can be of value as well.
• Files on a computer or other device are not the only evidence that can be gathered. The analyst may have to work beyond
the hardware to find evidence that resides on the Internet including chat rooms, instant messaging, websites and other
networks of participants or information. By using the system of Internet addresses, email header information, time stamps
on messaging and other encrypted data, the analyst can piece together strings of interactions that provide a picture of
activity.
 Disk Imaging Tools

Disk imaging is the computer system process by which an archive is created for a source disk, which can be later used
for making more copies of the hard drive. In the Disk imaging process, all the data of a hard disk is copied sector-wise,
including hidden files and configurations. This data is copied to another hard drive in a compressed form. It allows
more than one image to be reproduced on a hard disk so that users can take back up of more than one computer into
the destination disk.

A forensic image is an electronic copy of a drive (e.g. a hard drive, USB, etc.). It’s a bit-by-bit or bitstream file that’s
an exact, unaltered copy of the media being duplicated.
A disk imaging software allows users to create an image that contains the hard drive content, partition details, and OS
partitions. The chosen partitions will have all installed apps and configurations carried across. All of the information
gathered from imaging a hard drive will be kept as an image on a network share. The disk image tool can then
distribute the image after being compressed to the user's specifications.
 Disk Imaging Tools
What can disk imaging software do?
• Imaging: As mentioned before, disk imaging software will enable you to create a replica of the operating
system, settings, and user files of the target computer.
• Backup user profiles: It will back up user profiles and will help you migrate access permissions, preferences,
security settings, and configurations unique to a user account.
• Application deployment: Accelerate the machine setup process by deploying relevant applications and drivers
along with your OS image.
• Specificity: Employ granular customization by curating settings like user profiles, computer names, computer
domains, and user accounts specific to each computer.
• Disk adjustment: Optimally utilize the free space in the target hard disk by automatically extending the data
partitions in the unallocated space.
• Compression: Seamlessly compress your disk images to a smaller size to simplify the transfer of the large disk
images.
• Shrinking: If the target disk size where the image is to be deployed is smaller than the image size, disk image
software allows you to shrink the image before deployment.
 Disk Imaging Tools
What are the different types of disk imaging tool?
• Backup software: The disk imaging software has the capacity to upload data to cloud servers directly. A cloud
back-up of the disk would upload the source disk data into cloud servers owned either by the disk imaging
software company itself or some other third party vendor that provides cloud services.
• Imaging software: is the computer system process by which an archive is created for a source disk, which can
be later used for making more copies of the hard drive. In the Disk imaging process, all the data of a hard disk
is copied sector-wise, including hidden files and configurations. This data is copied to another hard drive in a
compressed form. It allows more than one image to be reproduced on a hard disk so that users can take back
up of more than one computer into the destination disk.
• Cloning software: Disk Cloning is a process by which one hard drive is copied into other drives to make an
exact copy of the source drive. A clone will have all the contents from the source drive, but it is not in a
compressed form. Once a clone is formed, users cannot add or change data. A clone is ready to use a disk that
can be inserted into any computer, and it will start working. Disk cloning software creates a clone of the
source disk into another hard drive.
• Incremental backup software: The disk imaging software should also be able to take incremental back-up.
Incremental back-up is an addition to the already existing back-up of a disk. If changes were made to the
source disk and additional content was added, then incremental back-up would take only the newly added
content for extra back-up.
• Partition backup software: The software manages partition related issues also. It can change the disk volume
utilized by each partition of the disk.
 Write Blockers
A write blocker, also known as a write-block device, is a hardware or software tool that allows forensic investigators to access
and examine digital storage media without altering or compromising the integrity of the data.
• The primary function of a write blocker is to prevent any write commands or modifications to the target media, ensuring
that the original evidence remains intact.
• Write blockers come in various forms, including external devices that connect between the storage media and the forensic
workstation, as well as software solutions that can be installed on a computer. These tools intercept write commands from
the computer and redirect them, ensuring that the original data is not modified during the investigation process.

Write blockers are essential tools in digital forensics and computer investigations. They serve to protect the integrity of digital
evidence by preventing any write or modification actions to the storage media under examination.
There are two basic types of write blockers:
• Hardware write blocker—The hardware blocker is a device that is installed that runs software internally to itself and will
block the write capability of the computer to the device attached to the write blocker.
• Software write blocker—The software blocker is an application that is run on the operating system that implements a
software control to turn off the write capability of the operating system. If you are using a software write blocker, ensure to
attach the external evidence collection drive prior to activating the software blocker as this will allow the external drive to
be written to.
 Write Blockers
How Write Blockers Work:
• Read-Only Mode: Write blockers set the connected storage device to read-only mode. This means data can
be read from the media but cannot be written to it. Write commands are blocked while read commands pass
through.
• Protection Mechanisms: Write blockers use various mechanisms, such as firmware or software, to enforce
read-only mode. Some advanced write blockers also log any attempts to write to the media.
• Digital Forensics Investigations: In criminal and civil cases, digital forensic examiners use write blockers to
preserve and analyze digital evidence from computers, smartphones, external drives, and other storage media.
• Incident Response: In cybersecurity incident response, write blockers can be used to investigate
compromised systems without altering the original evidence.
• Data Recovery: Write blockers can also be employed in data recovery efforts to prevent accidental data
overwrites during recovery processes.
 Understanding Filesystems - Windows
A file system enables applications to store and retrieve files on storage devices. Files are placed in a hierarchical
structure. The file system specifies naming conventions for files and the format for specifying the path to a file
in the tree structure.
Each file system consists of one or more drivers and dynamic-link libraries that define the data formats and
features of the file system. File systems can exist on many different types of storage devices, including hard
disks, jukeboxes, removable optical disks, tape back-up units, and memory cards.
• All file systems supported by Windows have the following storage components:
• Volumes. A volume is a collection of directories and files.
• Directories. A directory is a hierarchical collection of directories and files.
• Files. A file is a logical grouping of related data.
• A directory is a hierarchical collection of directories and files. The only constraint on the number of files that
can be contained in a single directory is the physical size of the disk on which the directory is located.
• A hard disk is a rigid disk inside a computer that stores and provides relatively quick access to large amounts
of data. It is the type of storage most often used with Windows. The system also supports removable media.
• A file object provides a representation of a resource (either a physical device or a resource located on a
physical device) that can be managed by the I/O system.
• Transactional NTFS (TxF) allows file operations on an NTFS file system volume to be performed in a
transaction.
• The highest level of organization in the file system is the volume. A file system resides on a volume.
 Windows File System
1. FAT
• FAT is the most simplistic of the file systems supported by Windows NT.
• The FAT file system is characterized by the file allocation table (FAT), which is really a table that resides at the
very “top" of the volume.
• To protect the volume, two copies of the FAT are kept in case one becomes damaged.
• the FAT tables and the root directory must be stored in a fixed location so that the system's boot files can be
correctly located.
• A disk formatted with FAT is allocated in clusters, whose size is determined by the size of the volume.
• When a file is created, an entry is created in the directory and the first cluster number containing data is
established.
• This entry in the FAT table either indicates that this is the last cluster of the file, or points to the next cluster.
• If the FAT table is not regularly updated, it can lead to data loss.
• It is time consuming because the disk read heads must be repositioned to the drive's logical track zero each time the
FAT table is updated.
• There is no organization to the FAT directory structure, and files are given the first open location on the drive. In
addition, FAT supports only read-only, hidden, system, and archive file attributes.
 Windows File System

1.FAT
• FAT uses the traditional 8.3 file naming convention and all filenames must be created with the ASCII
character set.
• The name of a file or directory can be up to eight characters long, then a period (.) separator, and up to a three
character extension.
• The name must start with either a letter or number and can contain any characters except for the following:
."/\[]:;|=,
• The name cannot contain any spaces.
• The following names are reserved:
CON, AUX, COM1, COM2, COM3, COM4, LPT1, LPT2, LPT3, PRN, NUL
 Windows File System
Advantages of FAT
• It is not possible to perform an undelete under Windows NT on any of the supported file systems.
• Undelete utilities try to directly access the hardware, which cannot be done under Windows NT.
• if the file was located on a FAT partition, and the system is restarted under MS-DOS, the file can be
undeleted.
• The FAT file system is best for drives and/or partitions under approximately 200 MB, because FAT starts out
with very little overhead.

Disadvantages of FAT
• Preferably, when using drives or partitions of over 200 MB the FAT file system should not be used. This is
because as the size of the volume increases, performance with FAT will quickly decrease. It is not possible to
set permissions on files that are FAT partitions.
• FAT partitions are limited in size to a maximum of 4 Gigabytes (GB) under Windows NT and 2 GB in MS-
DOS.
 Windows File System
2. HPFS
• The HPFS file system was first introduced with OS/2 1.2 to allow for greater access to the larger hard drives that
were then appearing on the market.
• it was necessary for a new file system to extend the naming system, organization, and security for the growing
demands of the network server market.
• HPFS maintains the directory organization of FAT, but adds automatic sorting of the directory based on filenames.
Filenames are extended to up to 254 double byte characters.
• HPFS also allows a file to be composed of "data" and special attributes to allow for increased flexibility in terms of
supporting other naming conventions and security.
• The unit of allocation is changed from clusters to physical sectors (512 bytes), which reduces lost disk space.
• Under HPFS, directory entries hold more information than under FAT.
• the attribute file, this includes information about the modification, creation, and access date and times.
 Windows File System

2. HPFS
• Instead of pointing to the first cluster of the file, the directory entries under HPFS point to the FNODE.
• The FNODE can contain the file's data, or pointers that may point to the file's data or to other structures that
will eventually point to the file's data.
• HPFS attempts to allocate as much of a file in contiguous sectors as possible. This is done in order to increase
speed when doing sequential processing of a file.
• HPFS organizes a drive into a series of 8-MB bands, and whenever possible a file is contained within one of
these bands.
• Between each of these bands are 2K allocation bitmaps, which keep track of which sectors within a band have
and have not been allocated.
• Banding increases performance because the drive head does not have to return to the logical top (typically
cylinder 0) of the disk, but to the nearest band allocation bitmap to determine where a file is to be stored.
 Windows File System-2. HPFS

• Additionally, HPFS includes a couple of unique special data objects:

a) Super Block
• The Super Block is located in logical sector 16 and contains a pointer to the FNODE of the root directory.
• One of the biggest dangers of using HPFS is that if the Super Block is lost or corrupted due to a bad sector, so
are the contents of the partition, even if the rest of the drive is fine.
• It would be possible to recover the data on the drive by copying everything to another drive with a good
sector 16 and rebuilding the Super Block. However, this is a very complex task.
 Windows File System-2. HPFS

b) Spare Block
• The Spare Block is located in logical sector 17 and contains a table of "hot fixes" and the Spare Directory
Block.
• Under HPFS, when a bad sector is detected, the "hot fixes" entry is used to logically point to an existing good
sector in place of the bad sector. This technique for handling write errors is known as hot fixing.
• Hot fixing is a technique where if an error occurs because of a bad sector, the file system moves the
information to a different sector and marks the original sector as bad.
• This is all done transparent to any applications that are performing disk I/O (that is, the application never
knows that there were any problems with the hard drive).
• Using a file system that supports hot fixing will eliminate error messages such as the FAT "Abort, Retry, or
Fail?" error message that occurs when a bad sector is encountered.
 2. HPFS

Advantages of HPFS
• HPFS is best for drives in the 200-400 MB range.
Disadvantages of HPFS
• Because of the overhead involved in HPFS, it is not a very efficient choice for a volume of under
approximately 200 MB.
• With volumes larger than about 400 MB, there will be some performance degradation. You cannot set security
on HPFS under Windows NT.
• HPFS is only supported under Windows NT versions 3.1, 3.5, and 3.51. Windows NT 4.0 cannot access HPFS
partitions.
 Windows file system :NTFS

• From a user's point of view, NTFS continues to organize files into directories, which, like HPFS, are sorted.
• However, unlike FAT or HPFS, there are no "special" objects on the disk and there is no dependence on the
underlying hardware, such as 512-byte sectors.
• In addition, there are no special locations on the disk, such as FAT tables or HPFS Super Blocks.
The goals of NTFS are to provide:
• Reliability, which is especially desirable for high end systems and file servers
• A platform for added functionality
• Support POSIX requirements
• Removal of the limitations of the FAT and HPFS file systems
 Windows file system :NTFS

Reliability
• To ensure reliability of NTFS, three major areas were addressed: recoverability, removal of fatal single sector
failures, and hot fixing.
• NTFS is a recoverable file system because it keeps track of transactions against the file system.
• When a CHKDSK is performed on FAT or HPFS, the consistency of pointers within the directory, allocation,
and file tables are being checked. Under NTFS, a log of transactions against these components is maintained
so that CHKDSK need only roll back transactions to the last commit point in order to recover consistency
within the file system.
• Under FAT or HPFS, if a sector that is the location of one of the file system's special objects fails, then a
single sector failure will occur. NTFS avoids this in two ways: first, by not using special objects on the disk
and tracking and protecting all objects that are on the disk.
• under NTFS, multiple copies (the number depends on the volume size) of the Master File Table are kept.
 Windows file system :NTFS

Added functionality
POSIX support
NTFS is the most POSIX.1 compliant of the supported file systems because it supports the following POSIX.1
requirements:
• Case-sensitive naming:
• Under POSIX, README.TXT, Readme.txt, and readme.txt are all different files.
• Additional time stamp:
• The additional time stamp supplies the time at which the file was last accessed.
• Hard links:
• A hard link is when two different filenames, which can be located in different directories, point to the same
data.
 Windows file system :NTFS

Remove limitations
• NTFS has greatly increased the size of files and volumes, so that they can now be up to 2^64 bytes (16
exabytes or 18,446,744,073,709,551,616 bytes).
• NTFS has also returned to the FAT concept of clusters in order to avoid HPFS problem of a fixed sector size.
• This was done because Windows NT is a portable operating system and different disk technology is likely to
be encountered at some point. 512 bytes per sector was viewed as having a large possibility of not always
being a good fit for the allocation.
• This was accomplished by allowing the cluster to be defined as multiples of the hardware's natural allocation
size.
• Finally, in NTFS all filenames are Unicode based, and 8.3 filenames are kept along with long filenames.
 Windows file system :NTFS

Advantages of NTFS
• NTFS is best for use on volumes of about 400 MB or more. This is because performance does not degrade
under NTFS, as it does under FAT, with larger volume sizes.
• The recoverability designed into NTFS is such that a user should never have to run any sort of disk repair
utility on an NTFS partition.

Disadvantages of NTFS
• It is not recommended to use NTFS on a volume that is smaller than approximately 400 MB, because of the
amount of space overhead involved in NTFS. This space overhead is in the form of NTFS system files that
typically use at least 4 MB of drive space on a 100-MB partition.
• Currently, there is no file encryption built into NTFS. Therefore, someone can boot under MS-DOS, or
another operating system, and use a low-level disk editing utility to view data stored on an NTFS volume.
• It is not possible to format a floppy disk with the NTFS file system; Windows NT formats all floppy disks
with the FAT file system because the overhead involved in NTFS will not fit onto a floppy disk.
 NTFS naming conventions

• File and directory names can be up to 255 characters long, including any extensions. Names preserve case,
but are not case-sensitive. NTFS makes no distinction of filenames based on case.
• Names can contain any characters except for the following:
?"/\<>*|:
• Currently, from the command line, you can only create file names of up to 253 characters.
 Linux File System
A Linux file system is a structured collection of files on a disk drive or a partition. A partition is a segment of
memory and contains some specific data.
The Linux file system contains the following sections:
• The root directory (/)
• A specific data storage format (EXT3, EXT4, BTRFS, XFS and so on)
• A partition or logical volume having a particular file system.

Linux file system is generally a built-in layer of a Linux operating system used to handle the data management
of the storage. It helps to arrange the file on the disk storage. It manages the file name, file size, creation date,
and much more information about a file.
 Linux File System Structure

• Linux file system has a hierarchal file structure as it contains a root directory and its subdirectories. All other
directories can be accessed from the root directory.
• A partition usually has only one file system, but it may have more than one file system.
• A file system is designed in a way so that it can manage and provide space for non-volatile storage data.
• All file systems required a namespace that is a naming and organizational methodology
• The namespace defines the naming process, length of the file name, or a subset of characters that can be used
for the file name.
• The data structure needs to support a hierarchical directory structure; this structure is used to describe the
available and used disk space for a particular block. It also has the other details about the files such as file
size, date & time of creation, update, and last modified.
• it stores advanced information about the section of the disk, such as partitions and volumes.
• Linux file system contains two-part file system software implementation architecture.
• The file system requires an API (Application programming interface) to access the function calls to interact
with file system components like files and directories.
• API facilitates tasks such as creating, deleting, and copying the files. It facilitates an algorithm that defines the
arrangement of files on a file system.
 Linux File System Structure

• The first two parts of the given file system together called a Linux virtual file system. It provides a single set
of commands for the kernel and developers to access the file system. This virtual file system requires the
specific system driver to give an interface to the file system.
• In Linux, the file system creates a tree structure. All the files are arranged as a tree and its branches. The
topmost directory called the root (/) directory.
• All other directories in Linux can be accessed from the root directory.
 Android

• Android's file system structure exhibits similarities with Linux due to its foundation on the Linux kernel, yet it
possesses distinct characteristics.
• Android doesn't use drives or directories but employs partitions within a singular directory, akin to a tree with
varied branches.
• Users navigate these partitions using file managers to organize their files amidst what might seem like a
chaotic storage system.
• in Java, the FileSystems class facilitates access to the default file system through methods
like FileSystems.getDefault(), offering a gateway to interact with files and other system objects.
 Android
• A File System is a Factory for Several Types of Objects
• The getPath method converts a system dependent path string, returning a Path object that may be used to
locate and access a file.
• The getPathMatcher method is used to create a PathMatcher that performs match operations on paths.
• The getFileStores method returns an iterator over the underlying file-stores.
• The getUserPrincipalLookupService method returns the UserPrincipalLookupService to lookup users or
groups by name.
• The newWatchService method creates a WatchService that may be used to watch objects for changes and
events.
• Access to all these partitions is provided via APIs including Java File API to provide a standard interface to
access and manipulate the data and the files on the device.
 Slack space

Filesystems use file allocation units to store files. Even if a file requires less space than the file allocation unit
size, an entire file allocation unit is still reserved for the file. For example, if the file allocation unit size is 32
kilobytes (KB) and a file is only 7 KB, the entire 32 KB is still allocated to the file, but only 7 KB is used,
resulting in 25 KB of unused space. This unused space is referred to as file slack space, and it may hold residual
data such as portions of deleted files.

Slack space is an important form of evidence in the field of forensic investigation. Often, slack space can
contain relevant information about a suspect that a prosecutor can use in a trial. For example, if a user deleted
files that filled an entire hard drive cluster, and then saved new files that only filled half of the cluster, the later
half would not necessarily be empty. It may include leftover information from the deleted files. This information
could be extracted by forensic investigators using special computer forensic tools.
 Slack space
• File System Slack
There are typically a few sectors left at the end of a hard drive, that don’t add up to enough to make a cluster. In
the 70’s, with the lower density circular disks and platters, the engineers crammed as much data storage as they
could on to the shape of the storage media. While the total storage capacity used up every bit of the round media,
it didn’t add up to a total that was evenly divisible by the logical structures used by the hard drive or floppy
drive’s controller. This should only amount to a few sectors in size. Some people call this Disk Slack.
• Volume Slack
After a hard drive is divided up into partition(s), there may be some clusters left unused. This slack space can be
very large, if the user is anticipating the creation of another future partition, or if they are intentionally creating a
hidden space to hide data in. In this context, a disk volume is a representation of the entire hard drive, to the
computer system.
• Partition Slack
A partition is created to a specified size in sectors, that may not add up to an evenly divisible number of
clusters. The few sectors left over are slack space. This should only amount to a few sectors in size.
• File Slack
Storage space, after the data in a file, that fills the remaining capacity of the file’s last cluster. These bytes
include the RAM Slack followed by the Drive Slack. This extra space is included in the file’s “physical” size,
and not in its “logical” size. For example, if a 2KB file is stored on adisk with 4KB sectors and 16KB clusters,
then the RAM Slack is 2KB (to complete the first sector’s 4KB) and the Drive Slack is 12KB (to complete the
cluster’s 16KB). Some people call this Disk Slack.
 Slack space
• RAM Slack
When a file’s size leaves an incomplete sector, that last occupied sector needs to be completed in order to be
written. Disk controllers write data to the disk in one or more sectors or clusters at a time. In the 80’s, the
Microsoft/Personal Computer Disk Operating System (MS/PC DOS) grabbed the remaining bytes, to complete a
sector, from RAM (MS Windows 95a and earlier). That is how this slack became known as RAM Slack. In
today’s operating systems (MS Windows 95b and later), this potential data leakage threat has been resolved by
filling the remaining bytes with zeros. So, there is no value in collecting RAM slack, unless you are working
with extremely old hard drives.
• Drive Slack
(AKA Cluster Slack, Residual Slack) When a file’s size leaves some unoccupied sectors in its final cluster,
those remaining sectors typically aren’t overwritten. If a different file’s data, that was previously lost or deleted,
is in those sectors on the drive, then they are now protected from deletion as a new addition to the clusters
marked for the newly written file. This slack has the potential for investigators being able to recover data from
the past, along with file carving the unused disk space on the drive. Solid State Drives (SSD) may not retain any
Drive Slack, depending on their garbage collection setting. Some people call this Disk Slack.
 Slack space
• Object Slack
Each file format uses its own structure for storing blocks of data, which we universally refer to as
Objects. Some file formats reserve more bytes than are needed for objects. For example, chunk based file types
often require objects to be a size that is a multiple of 4 bytes. If an object ends up being 10 bytes, then it is
padded with trailing zeros to 12 bytes, which makes it end on a 4 byte multiple. Depending on the naming
convention used in a file type, this slack may be named something else, like “Stream Slack”. This “FI Object
Explorer” partial screen shot exhibits one of the file viewers that will be included in our upcoming Dark Data
Detective product.
• Field Slack
Each object type uses its own structure for storing smaller blocks of data, which we universally refer to as
Fields. Some file formats reserve more bytes than are needed for fields. For example, a text string may be 16
bytes long plus an additional trailing zero. The file format may reserve 32 bytes for that string. In that case, 15
bytes are wasted as field slack.
 Evidence Preservation

Digital evidence can be defined as any electronic data that is

• Stored or transmitted (sent or received) in a digital form (binary numeral system) on an electronic device
• Used to evidence an incident (any event of interest) to an ongoing investigation or to a court of law. It is
therefore determined to be relevant to a given case and can be processed as information of value to that case
• Documented by a Digital Forensics Examiner
Where can you locate the digital evidence?
• It is usually stored inside the Hard Disk Drives (HDD) or Solid State Drive (SSD) of a computer, Flash
Memory of peripheral devices such as mobile phones, USB pen-drives and camera memory-cards; or external
storage units including CDs and DVDs.
 Evidence Preservation
How can you preserve the digital evidence?

• Since digital evidence can be extracted from both your disk drives and the volatile memory of your device
(laptop, mobile etc) as discussed earlier, make sure you hibernate your computer instead of shutdown. This
will preserve the content of the volatile memory in the hard disk itself until next system boot.

• The Hibernate button might not be enabled by default in your system, In this case, you are strongly advised to
enable this feature. For instance, in Windows 8, this is possible if you use Windows explorer to open the
following location:
Control Panel\Hardware and Sound\Power Options\System Settings
• and then click
‘Change settings that are currently unavailable’
• Now look at ‘Shut-down settings’ and put a tick on ‘Hibernate (Show in Power menu)’
 Evidence Preservation
How can you preserve the digital evidence?

• In the case of mobile phones, you might not have a hibernate option but you can turn off your mobile phone
immediately (or as soon as possible) to preserve cell tower location (your location) and stop any possible
changes to data on the phone. This is the best option in most cases. Once you turn-off your mobile device, not
only do you preserve the state of the data inside, but you also stop any remote communications. Remember, if
you have a good reason to think a stalker has obtained remote access to your system, they could destroy
evidential data without your knowledge.

• If the evidence is located on your mobile device, but you do not feel happy turning the device off or you have
need to keep it turned on and connected to the network then try to take screen shots and/or copy the data to
alternative storage to mitigate that risk of remote access. If your device cannot be switched off for whatever
reason you need to highlight this to the Police at the earliest opportunity to see if the evidential data extraction
can be completed as a priority.
 Evidence Preservation
How can you preserve the digital evidence?

• After you hibernate or turn-off the device, remove battery and disconnect any charging cables. This will
prevent any automatic booting.

• Share the details of all the digital devices you own with the police, this will help their team to prepare well for
the type of devices from which digital evidence can be extracted.

• If the evidence is held on your Facebook account then you can download a full archive of your account as a
snapshot at that particular time and date to help preserve the evidence. This can be very useful given the
constantly changing nature of Facebook. You can do this extraction prior to the Police attending. Instructions
on how to download an archive copy of your account can be found on Facebook’s help pages. If you do this
then you should save the files somewhere secure with easy access to then show the Police, preferably not on
any hard drives that the Police will likely need to seize/recover, so a USB pen drive or CD/DVD would be
best if possible.
 Evidence Preservation
What if your evidence files were deleted?
If you have deleted files that you want to produce as evidence, do not worry they might be recoverable. Whilst
you can manually restore deleted files in Windows from the Recycle Bin, forensics investigators have tools that
could recover deleted (and at times damaged) files beyond this point. For example, with the capabilities of your
Operating System, you permanently lose your files at the user-level if you quick-format, or manually delete a
file on your USB pen-drive. It is however possible to recover this data with forensics tools under certain
conditions. Hence, if you mistakenly delete or format evidence, do not assume you have lost them, but also do
not try to recover these yourself. The best action is to isolate the memory card or switch-off the device and ask
for a professional opinion. The second you begin to create a new file, save data or download free recovery tools
you are risking overwriting this “deleted” data, which may potentially make it unrecoverable.
 Evidence Preservation
Is it acceptable to copy, move or rename evidence files?
The simply answer to this question is that you should not attempt to do any of these actions. To understand the
reason behind this advice you should know that digital evidence is not always in the form of human-readable
files such as images and English text files. Instead, there are many (supporting) files created and maintained by
software that can be used to provide the forensics examiner with critical information about the cyber
environment under investigation. This can include network connections, evidence of spyware installed, log files
stored in self-contained databases (e.g. LiteSQL) and Metadata.
A practical example of how metadata can be damaged is when you copy a file from your Windows drive to a
USB pen-drive formatted with FAT32. Your Windows often panics and shows the following warning message:
“Are you sure you want to copy this file without its properties?” This technically means that Fat32 cannot
welcome the metadata of the file you are trying to copy, hence, Windows is warning you the picture alone (with
no metadata) will be copied to your USB pen-drive.
 Evidence Preservation
• How can you preserve a sound (admissible) evidence to a court of law?
Any admitted evidence must be in an identical state to how it was first acquired from the crime scene (or simply
your device) wherever it is practicable to do so. Otherwise reasons for any copies need to be fully documented
by the Police, and it will be down to the courts as to whether this evidence is admissible or not. After a court of
law determine the evidence to be relevant to the case, its authenticity and integrity will be examined. In the case
of digital files, and since they can be easily altered or disconnected from supporting metadata, the evidence
integrity is mainly challenged. Integrity, authenticity and fully documented continuity is therefore the key driver
of what to do (or not to do).
Further, it is a court requirement that the digital evidence is obtained with authorisation. Hence, make sure you
have ownership on the devices you submit and support with your consent.
 Evidence Handling
• Digital evidence is volatile and fragile and the improper handling of this evidence can alter it. Because of its
volatility and fragility, protocols need to be followed to ensure that data is not modified during its handling (i.e.,
during its access, collection, packaging, transfer, and storage). These protocols delineate the steps to be followed
when handling digital evidence. There are four phases involved in the initial handling of digital evidence:
identification, collection, acquisition, and preservation.
• There are protocols for the collecting volatile evidence. Volatile evidence should be collected based on the order
of volatility; that is, the most volatile evidence should be collected first, and the least volatile should be collected
last. The Request for Comments (RFC) 3227 document provides the following sample of the order of volatile
data (from most to least volatile) for standard systems (Brezinski and Killalea, 2002):
• registers, cache
• routing table, ...[address resolution protocol or ARP] cache, process table, kernel statistics, memory
• temporary file systems
• disk
• remote logging and monitoring data that is relevant to the system in question
• physical configuration, network topology
• archival media
 Evidence Handling
• Identification
• In the identification phase, preliminary information is obtained about the cybercrime case prior to collecting
digital evidence. This preliminary information is similar to that which is sought during a traditional criminal
investigation. The investigator seeks to answer the following questions:
• Who was involved?
• What happened?
• When did the cybercrime occur?
• Where did the cybercrime occur?
• How did the cybercrime occur?
The answers to these questions will provide investigators with guidance on how to proceed with the case. For
example, the answer to the question "where did this crime occur?" - that is, within or outside of a country's
borders.
In the identification phase, cybercrime investigators use many traditional investigative techniques (see:
UNODC, Policing: Crime Investigation for a detailed analysis of these techniques), especially with respect to
information and evidence gathering.
 Evidence Handling
Collection
• With respect to cybercrime, the crime scene is not limited to the physical location of digital devices used in the
commissions of the cybercrime and/or that were the target of the cybercrime. The cybercrime crime scene also
includes the digital devices that potentially hold digital evidence, and spans multiple digital devices, systems,
and servers. The crime scene is secured when a cybercrime is observed, reported, and/or suspected. The first
responder (discussed in Cybercrime Module 5 on Cybercrime Investigations) identifies and protects the crime
scene from contamination and preserves volatile evidence by isolating the users of all digital devices found at
the crime scene.
• The users must not be given the opportunity to further operate the digital devices. Neither should the first
responder nor the investigator seek the assistance of any user during the search and documentation process. The
investigator, if different from the first responder, searches the crime scene and identifies the evidence. Before
evidence is collected, the crime scene is documented. Documentation is needed throughout the entire
investigative process (before, during, and after the evidence has been acquired). This documentation should
include detailed information about the digital devices collected, including the operational state of the device -
on, off, standby mode - and its physical characteristics, such as make, model, serial number, connections, and
any markings or other damage
• Collecting volatile data can alter the memory content of digital devices and data within them.
 Evidence Handling

Acquisition
• Different approaches to performing acquisition exist. The approach taken depends on the type of digital
device. For example, the procedure for acquiring evidence from a computer hard drive is different from the
procedure required to obtain digital evidence from mobile devices, such as smartphones.
• Unless live acquisition is performed, evidence is extracted from the seized digital devices at the forensic
laboratory (i.e., static acquisition). At the forensics laboratory, digital evidence should be acquired in a
manner that preserves the integrity of the evidence (i.e., ensuring that the data is unaltered); that is, in
a forensically sound manner (see Cybercrime Module 4 on Introduction to Digital Forensics). To achieve this,
the tools and techniques used to acquire digital evidence must prevent alterations to the data or when this is
not possible, at the very least minimize them ( SWGDE Best Practices for Computer Forensic Acquisitions ,
2018). The tools and techniques used should be valid and reliable (NIST, n.d.; SWGDE Recommended
Guidelines for Validation Testing , 2014; US National Institute of Justice, 2007b). The limitations of these
tools and techniques should be identified and considered before their use (SWGDE Best Practices for
Computer Forensic Acquisitions, 2018). The US National Institute of Standards and Technology has a
searchable digital forensics tools database with tools with various functionalities (e.g., cloud forensics tools,
among others) (for more information on digital forensics tools, see Cybercrime Module 4 on Introduction to
Digital Forensics).
 Evidence Handling

•
Preservation
• Evidence preservation seeks to protect digital evidence from modification. The integrity of digital
evidence should be maintained in each phase of the handling of digital evidence (ISO/IEC 27037).
First responders, investigators, crime scene technicians, and/or digital forensics experts must
demonstrate, wherever possible, that digital evidence was not modified during the identification,
collection, and acquisition phase; the ability to do so, of course, depends on the digital device (e.g.,
computer and mobile phones) and circumstances encountered by them (e.g., need to quickly
preserve data). To demonstrate this, a chain of custody must be maintained. The chain of custody is
"the process by which investigators preserve the crime (or incident) scene and evidence throughout
the life cycle of a case. It includes information about who collected the evidence, where and how
the evidence was collected, which individuals took possession of the evidence, and when they took
possession of it" (Maras, 2014, 377; Cybercrime Module 4 on Introduction to Digital Forensics). In
the chain of custody, the names, titles, and contact information of the individuals who identified,
collected, and acquired the evidence should be documented, as well as any other individuals the
evidence was transferred to, details about the evidence that was transferred, the time and date of
transfer, and the purpose of the transfer.
 Evidence Handling

• Analysis and Reporting

• In addition to the handling of digital evidence, the digital forensics process also involves the examination and interpretation
of digital evidence ( analysis phase), and the communication of the findings of the analysis ( reporting phase). During the
analysis phase, digital evidence is extracted from the device, data is analysed, and events are reconstructed. Before the
analysis of the digital evidence, the digital forensics analyst in the laboratory must be informed of the objectives of the
search, and provided with some background knowledge of the case and any other information that was obtained during the
investigation that can assist the forensics analyst in this phase (e.g., IP address or MAC addresses). Various forms of
analyses are performed depending on the type of digital evidence sought, such as network, file system, application, video,
image, and media analysis (i.e., analysis of data on storage device) (Grance, Chevalier, Kent, and Dang, 2005; Carrier,
2005; European Network of Forensic Science Institute, 2015; SWGDE Best Practices for Image Authentication , 2018;
SWGDE Best Practices for Image Content Analysis , 2017; SWGDE Guidelines for Forensic Image Analysis , 2017;
SWGDE Best Practices for Data Acquisition from Digital Video Recorders , 2018; SWGDE Best Practices for Digital &
Multimedia Evidence Video Acquisition from Cloud Storage , 2018). Files are analysed to determine their origin, and when
and where the data was created, modified, accessed, downloaded, or uploaded, and the potential connection of these files
on storage devices to, for example, remote storage, such as cloud-based storage (Carrier, 2005). The type of digital
evidence (e.g., emails, text messages, geolocation, Word processing documents, images, videos, and chat logs) sought
depends on the cybercrime case.

• Generally, there are four types of analyses that can be performed on computers: time-frame analysis; ownership and
possession analysis; application and file analysis; and data hiding analysis. The time-frame analysis seeks to create a
timeline or time sequence of actions using time stamps (date and time) that led to an event or to determine the time and
 Evidence Handling
• Cross contamination of evidence refers to the transfer of physical evidence from one source to another,
potentially contaminating or altering the integrity of the original evidence. This can occur through a variety of
means, including handling, storage, or transport of the evidence.
• Cross-contamination in the context of digital evidence refers to any process or mishap that can potentially
alter, degrade, or compromise the integrity of the data. Unlike physical evidence, digital cross-contamination
involves the unintended transfer or alteration of data through improper handling, storage, or processing
practices.

• Examples of cross contamination of evidence may include:

Cross contamination of digital evidence refers to the unintentional introduction of external data or contamination
of the original data during the process of collecting, handling, and analyzing digital evidence. This can occur
when different devices or storage media are used to handle or store the evidence, or when the original data is
modified or altered in any way.
One example of cross contamination of digital evidence is when a forensic investigator uses the same device to
collect evidence from multiple sources. If the device is not properly sanitized between uses, the data from one
source could be mixed with data from another source, making it difficult to accurately determine the origin of
the data.
 Evidence Handling
• Another example of cross contamination of digital evidence is when an investigator copies data from a device
to a storage media, such as a USB drive or hard drive, without properly sanitizing the storage media first. If
the storage media contains data from previous cases, it could mix with the new data and contaminate the
original evidence.
• Cross contamination of digital evidence can also occur when an investigator opens or accesses a file or device
without taking proper precautions, such as making a copy of the original data or using a forensic tool to
preserve the data. This can result in the original data being modified or altered, which could affect the
authenticity and integrity of the evidence.
• The dangers of making this mistake with digital evidence is a significant concern in forensic investigations
because it can compromise the reliability and accuracy of the evidence, potentially leading to false
conclusions or incorrect results. It is important for forensic investigators to take proper precautions to prevent
cross contamination, such as using proper forensic tools and techniques, sanitizing devices and storage media,
and following established protocols and procedures.
 Evidence Handling
• Preventative Measures:
To prevent such scenarios, forensic labs must institute and rigorously enforce the following protocols:
1. Strict Sanitization Policies:
Implement mandatory procedures for the wiping and sanitization of all collection and storage media before and
after each use. This includes physical drives, USB sticks, and any other digital storage devices.
2. Automated Sanitization Logs:
Utilize software solutions that automatically log all sanitization processes, creating an auditable trail that ensures
each device is cleaned according to protocol.
3.Regular Training on Evidence Handling:
Conduct frequent training sessions for all forensic personnel on the importance of evidence integrity, focusing on
the risks associated with cross-contamination and the procedures to prevent it.
4.Quality Control Checks:
Introduce routine quality control checks where another examiner reviews the sanitization and preparation of
collection disks before they are used in a new case.
5. Use of Write-Blocking Devices:
Employ write-blocking devices that allow for the secure reading of evidence from storage media without the risk
of writing any data to the device, further preventing contamination.
 References
• https://ctf101.org/forensics/what-is-disk-imaging/
• https://www.intechopen.com/chapters/64377
• https://forensicsciencesimplified.org/digital/how.html
• https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa364407(v=vs.85)
• https://learn.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-
systems#fat-overview
• https://www.linuxfoundation.org/blog/blog/classic-sysadmin-the-linux-filesystem-explained
• https://www.javatpoint.com/linux-file-system
• https://www.scaler.com/topics/android/android-file-system/
• https://www.linkedin.com/pulse/preserving-digital-integrity-role-applications-write-denisov-ms/
• https://bluegoatcyber.com/blog/what-is-a-write-blocker/
• Atlam, Hany F., et al. "Internet of things forensics: A review." Internet of Things 11 (2020): 100220.

• https://www.eccouncil.org/cybersecurity-exchange/cloud-security/cloud-forensics-under-computing-security/
 References
• https://www.manageengine.com/products/os-deployer/disk-imaging-
tool.html#:~:text=Disk%20imaging%20tool%20allows%20you,depending%20on%20the%20organizational%
20requirements.
• https://www.goodfirms.co/disk-imaging-software/blog/useful-free-open-source-disk-imaging-software
• https://csrc.nist.gov/glossary/term/slack_space
• https://www.computerhope.com/jargon/s/slack-space.htm
• https://developer.android.com/reference/java/nio/file/FileSystem
• Al-Khateeb, Haider, and Phil Cobley. "How you can preserve digital evidence and why it is important." A Practical Guide To Coping With Cyberstalking,
April (2015): 50-62.

• https://www.fid3.com/2023/01/31/slack-space/
• https://csilinux.com/digital-evidence-handling-ensuring-integrity-in-the-age-of-cyber-forensics/