Skip to main content
sudoRunner
sudoRunner

IST 454: Computer & Cyber Forensics Lab Evidence

Computer & Cyber Forensics Case Study

This portfolio-safe case study summarizes selected IST 454 Computer and Cyber Forensics work focused on forensic image creation, forensic image mounting, hash verification, Windows registry analysis, data carving, deleted file recovery, IoT forensics, and AI-assisted security/forensics research.

Course IST 454
Project Type Computer & Cyber Forensics Lab Evidence
Focus Forensic Imaging · Registry Analysis · Data Carving · Reporting
Tools / Platforms FTK Imager · WinHex · RegRipper · Registry Viewer · Kali Linux · dcfldd
Research Angle AI Security Datasets · IoT Forensics · Multi-Source Evidence
Publishing Level Portfolio-Safe / Partial Evidence / No Raw Images Published

Overview
#

IST 454 focused on computer and cyber forensics. The available evidence from this course supports a portfolio-safe summary around digital evidence handling, forensic image creation, forensic image mounting, hash verification, registry analysis, deleted file recovery, data carving, and research into AI/IoT forensics.

I do not currently have every original lab submission from this course. Because of that, this page is intentionally framed as selected lab evidence, not a complete course archive.

The strongest evidence available includes:

  • Windows forensic image creation and mounting
  • Kali Linux disk image creation and hashing
  • MD5 and SHA256 hash comparison
  • read-only image handling
  • Windows registry hive recovery and analysis
  • SAM, SYSTEM, and NTUSER registry review concepts
  • RegRipper usage
  • deleted image recovery
  • deleted document recovery
  • WinHex data carving
  • file recovery by type
  • group analysis of recovered documents and encrypted file indicators
  • research on AI-based cybersecurity and forensics datasets
  • discussion of IoT forensics, proprietary data formats, privacy, and investigation challenges

This page is intentionally written as a sanitized case study. It does not publish raw forensic images, full screenshots, complete lab answers, raw recovered documents, private academic submissions, passwords, case artifacts, or full evidence files.

Why This Project Matters
#

Digital forensics is one of the clearest bridges between cybersecurity operations and evidence-based investigation.

A useful forensic workflow needs to preserve evidence, maintain integrity, recover relevant artifacts, analyze system state, and communicate findings clearly.

This course supports several cybersecurity capabilities:

  • evidence preservation
  • forensic acquisition
  • image mounting
  • hash verification
  • read-only analysis discipline
  • registry analysis
  • user activity review
  • deleted file recovery
  • data carving
  • forensic reporting
  • AI/IoT forensic research awareness

This matters for security operations because incidents often require more than alert triage. Analysts may need to understand what happened on a system, what files existed, what was deleted, what devices were connected, what user activity occurred, and whether evidence was handled correctly.

Portfolio-Safe Publishing Approach
#

Security and privacy note: This page summarizes forensic lab evidence without publishing raw forensic images, recovered files, complete reports, passwords, full screenshots, private student identifiers, or detailed evidence artifacts.

This page excludes:

  • raw forensic images
  • mounted disk image contents
  • full recovered files
  • recovered images or documents
  • registry hive files
  • exact lab passwords
  • private screenshots
  • full group submissions
  • raw academic answers
  • private course materials
  • complete step-by-step instructions

Instead, it presents:

  • forensic workflows
  • tools used
  • evidence categories
  • portfolio-safe technical summaries
  • professional lessons learned
  • relevance to incident response and security operations

Evidence-Based Scope
#

Because not every lab file is available, this page uses a conservative evidence scope.

Available Evidence
What It Supports
Confidence
Windows Image Creation and Mounting Lab
Supports forensic image creation, E01 image output, verification, mounting, and read-only forensic access using FTK Imager.
Strong
Kali Linux Image Creation and Hashing Lab
Supports Linux partition identification, dcfldd-based disk imaging, MD5/SHA256 hash generation, read-only image handling, and hash comparison for integrity verification.
Strong
Windows Registry Analysis Lab
Supports registry hive recovery and analysis, including SAM, SYSTEM, USBSTOR, NTUSER.DAT, Registry Viewer, and RegRipper-based user activity review.
Strong
Windows Data Carving Lab
Supports forensic image mounting, WinHex-based recovery by type, deleted image recovery, deleted document recovery, and output organization.
Strong
Group Lab 5 Evidence
Supports applied document recovery, repeated content identification, missing file reasoning, encrypted file observation, and analysis using FTK/WinHex outputs.
Moderate
AI / IoT Forensics Research Essay
Supports research into AI-based security datasets, heterogeneous telemetry sources, IoT forensics, privacy issues, intrusion detection, digital forensics, and AI-assisted security analysis.
Strong

Forensic Workflow Map
#

1

Identify and Preserve Evidence
#

Forensic work began with identifying disks, partitions, evidence sources, and target images while avoiding unnecessary alteration of original evidence.

Preservation

2

Create Forensic Images
#

Created forensic images using FTK Imager and dcfldd-style workflows, including compressed forensic image formats and disk image output.

Acquisition

3

Verify Integrity
#

Used hash generation and hash comparison, including MD5 and SHA256-style validation, to confirm image integrity and support evidence reliability.

Hash Verification

4

Mount Images Read-Only
#

Mounted forensic images read-only so analysis could be performed without modifying the evidence source.

Read-Only Analysis

5

Recover and Analyze Artifacts
#

Recovered registry hives, reviewed user/system registry data, carved deleted images and documents, and examined recovered artifacts.

Artifact Recovery

6

Report Findings
#

Converted forensic observations into portfolio-safe findings, including recovered file categories, registry analysis relevance, and research implications.

Reporting

Forensic Imaging Evidence
#

The course evidence includes both Windows and Linux imaging workflows.

The Windows imaging lab involved:

  • launching FTK Imager
  • creating a forensic image
  • selecting evidence source type
  • choosing an E01-style image output
  • entering case/evidence/examiner metadata
  • saving the image to a case folder
  • verifying the image
  • mounting the forensic image
  • selecting a drive letter
  • confirming read-only mounting
  • preparing the mounted image for later analysis

The Kali Linux imaging lab involved:

  • identifying partitions
  • selecting a target partition
  • creating a disk image using dcfldd
  • generating MD5 and SHA256 hash logs during imaging
  • setting the resulting image to read-only
  • hashing the original source for comparison
  • discussing hash comparison and evidence integrity

The key lesson is that forensic analysis should be performed on an acquired image rather than directly on original evidence, and that hashing supports evidence integrity.

Registry Analysis Evidence
#

The registry analysis lab supported Windows forensic analysis concepts.

The available evidence includes work around:

  • recovering registry hives
  • exporting SAM and SYSTEM files
  • analyzing SAM with Registry Viewer
  • reviewing user account information
  • analyzing SYSTEM registry data
  • identifying connected USB device artifacts through USBSTOR
  • recovering NTUSER.DAT
  • using RegRipper to analyze NTUSER data
  • searching for recently opened files
  • using registry artifacts to infer user or system activity

This is relevant because the Windows registry can contain important evidence about user behavior, connected devices, account information, system configuration, and recent activity.

Data Carving Evidence
#

The data carving lab focused on recovering deleted files from a mounted forensic image.

The available evidence includes:

  • mounting an image with FTK Imager
  • opening the physical storage device in WinHex
  • recovering deleted images by file type
  • creating output folders for carved pictures
  • recovering deleted documents by file type
  • using free cluster and sector boundary search settings
  • reviewing recovered output
  • organizing recovery results

This supports a practical understanding of deleted file recovery and forensic artifact extraction.

Data recovery from a mounted forensic image
#

The data recovery lab focused on a “Company Secrets” case involving recovered documents and file artifacts which needed to be investigated, and certain information had to be extracted.

The available evidence supports:

  • recovered document review
  • identifying repeated content
  • recognizing missing file numbers
  • identifying a file with mRNA-related content
  • observing encrypted file indicators
  • noting an OLE2 encrypted file type
  • connecting recovered artifacts to FTK and WinHex outputs

AI and IoT Forensics Research
#

The research essay focused on AI as it relates to cybersecurity and forensics.

The essay discussed:

  • AI-based security applications
  • TON_IoT Windows datasets
  • heterogeneous telemetry
  • Windows and Linux operating system data
  • network traffic data
  • IoT service data
  • intrusion detection
  • threat intelligence
  • privacy preservation
  • digital forensics
  • limitations of homogeneous datasets
  • multi-faceted attacks
  • overfitting and incomplete feature sets
  • labeled datasets with ground truth
  • correlation analysis
  • energy and scalability considerations for AI systems

This research angle matters because modern forensics increasingly depends on large-scale, multi-source evidence. IoT, cloud, endpoint, and network telemetry create both opportunities and challenges for investigators.

IoT Forensics Discussion Evidence
#

The available discussion work addressed IoT forensics and the difficulty of investigating connected devices.

Themes included:

  • IoT devices generating large volumes of data
  • cloud-based device data
  • proprietary vendor formats
  • multi-tenant cloud infrastructure
  • multi-jurisdictional evidence concerns
  • end-to-end encryption
  • privacy of smart car occupants
  • insecure or poorly secured connected devices
  • use of tools such as Splunk to aggregate different evidence sources
  • need for broader visibility across logs, APIs, files, directories, and network events

This supports the broader forensic theme that modern investigations often require multi-source evidence handling and privacy-aware analysis.

Tools and Techniques Referenced
#

Tool / Technique
Forensic Purpose
Evidence Type
FTK Imager
Forensic image creation, evidence source selection, E01-style output, verification, image mounting, and read-only access.
Imaging
dcfldd
Linux disk image creation with hash generation and error-handling options during acquisition.
Acquisition
MD5 / SHA256 Hashing
Evidence integrity validation through hash generation and comparison.
Integrity
Registry Viewer
SAM and SYSTEM registry hive analysis for account and system artifact review.
Registry
RegRipper
NTUSER.DAT analysis and user activity artifact extraction.
User Activity
WinHex
Opening mounted forensic images, recovering deleted images and documents, and carving files by type.
Data Carving
Splunk / Multi-Source Telemetry Concepts
Discussion of aggregating logs, files, directories, network events, and APIs for broader forensic and security visibility.
Telemetry

Capability-to-Evidence Map
#

Capability
Evidence from IST 454
Status
Forensic Acquisition
Created Windows and Linux forensic images, used FTK Imager and dcfldd-style workflows, and reviewed image output and read-only handling.
Evidence Available
Evidence Integrity
Generated and compared MD5 and SHA256 hashes to validate forensic image integrity.
Evidence Available
Registry Analysis
Recovered and analyzed SAM, SYSTEM, and NTUSER registry hives using Registry Viewer and RegRipper-style workflows.
Evidence Available
Data Carving
Recovered deleted images and documents from a mounted forensic image using WinHex and file recovery by type.
Evidence Available
Artifact Review
Reviewed recovered document content, repeated files, missing file references, encrypted file indicators, and file-type observations.
Supporting Evidence
AI / IoT Forensics Research
Researched AI-based security datasets, IoT telemetry, heterogeneous data sources, privacy preservation, IDS, threat intelligence, and forensic investigation challenges.
Research Evidence

Professional Lessons Learned
#

This course reinforced several lessons that matter for cybersecurity and incident response:

  • evidence should be acquired and analyzed carefully, not altered directly
  • forensic images should be mounted read-only when possible
  • hashing supports evidence integrity and repeatability
  • deleted files may still be recoverable through data carving
  • registry artifacts can reveal user activity, connected devices, and system state
  • forensic investigation often requires multiple tools
  • modern investigations increasingly involve IoT, cloud, and large-scale telemetry
  • proprietary data formats and encryption can complicate analysis
  • AI datasets may help security teams, but data quality and feature completeness matter
  • forensic reporting should clearly separate evidence, inference, and uncertainty

Professional Relevance
#

This project supports roles involving:

  • cybersecurity analysis
  • digital forensics
  • incident response
  • security operations
  • malware investigation
  • endpoint investigation
  • GRC-aware evidence handling
  • forensic reporting
  • IoT security awareness
  • AI-assisted security research

It also complements my CYBER 440 capstone work. CYBER 440 demonstrates a broader simulated incident investigation; IST 454 adds dedicated computer and cyber forensics evidence around image acquisition, registry analysis, deleted file recovery, and forensic research.

Difference from CYBER 440
#

IST 454 and CYBER 440 overlap, but they show different strengths.

Course
Main Portfolio Angle
Best Evidence Type
IST 454
Forensic imaging, hash verification, registry analysis, deleted file recovery, data carving, IoT forensics, and AI-assisted forensic research.
Digital Forensics
CYBER 440
Simulated incident response capstone involving network evidence, forensic images, memory artifacts, logs, timeline development, and remediation planning.
IR Capstone

Together, they show both focused forensic technique exposure and broader incident investigation workflow.

Portfolio-Safe Redaction Notes
#

This case study intentionally excludes:

  • raw forensic images
  • mounted image contents
  • recovered documents and images
  • registry hive files
  • exact passwords
  • full screenshots
  • full lab submissions
  • complete group reports
  • private academic records
  • step-by-step lab procedures
  • complete source evidence

The purpose is to show digital forensics knowledge and investigation workflow without exposing raw evidence or academic materials.

Related Portfolio Areas#

Digital Forensics
#

This work supports forensic acquisition, evidence integrity, image mounting, registry analysis, deleted file recovery, and artifact review.

Forensics

Incident Response
#

Forensic evidence handling supports incident triage, root-cause analysis, timeline reconstruction, and evidence-based reporting.

IR-Relevant

Security Operations
#

Security analysts benefit from understanding file recovery, registry artifacts, logs, telemetry, and endpoint evidence.

SOC-Relevant

AI and IoT Forensics
#

The research work connects forensic thinking to AI datasets, IoT telemetry, privacy, data volume, and multi-source investigation challenges.

Emerging Forensics

Next Steps
#

This project can later be connected to:

  • the cybersecurity analyst review path
  • the digital forensics capability section
  • the CYBER 440 capstone page
  • an incident-response evidence lifecycle diagram
  • a forensic imaging checklist
  • a registry analysis concept note
  • a data carving concept note
  • an AI/IoT forensics research section

For now, this page serves as the main portfolio-safe summary of my IST 454 computer and cyber forensics evidence.