Foreword | p. xix |
Acknowledgments | p. xxiii |
Introduction | p. xvii |
Preparing for an Incident | |
Case Study: Lab Preparations | p. 2 |
Cashing Out | p. 2 |
Preparing for a Forensics Operation | p. 2 |
The Forensics Process | p. 5 |
Types of Investigations | p. 6 |
The Role of the Investigator | p. 8 |
Elements of a Good Process | p. 10 |
Cross-Validation | p. 11 |
Proper Evidence Handling | p. 11 |
Completeness of Investigation | p. 11 |
Management of Archives | p. 12 |
Technical Competency | p. 12 |
Explicit Definition and Justification for the Process | p. 12 |
Legal Compliance | p. 13 |
Flexibility | p. 13 |
Defining a Process | p. 13 |
Assessment | p. 14 |
Acquisition | p. 14 |
Authentication | p. 15 |
Analysis | p. 16 |
Articulation | p. 16 |
Archival | p. 16 |
Computer Fundamentals | p. 19 |
The Bottom-Up View of a Computer | p. 20 |
It's All Just 1s and 0s | p. 20 |
Learning from the Past: Giving Computers Memory | p. 22 |
Basic Input and Output System (BIOS) | p. 24 |
The Operating System | p. 24 |
The Applications | p. 25 |
Types of Media | p. 25 |
Magnetic Media | p. 25 |
Optical Media | p. 33 |
Memory Technologies | p. 34 |
Forensic Lab Environment Preparation | p. 39 |
The Ultimate Computer Forensic Lab | p. 40 |
What Is a Computer Forensic Laboratory? | p. 40 |
Forensic Lab Security | p. 41 |
Protecting the Forensic Lab | p. 42 |
Forensic Computers | p. 46 |
Components of a Forensic Host | p. 46 |
Commercially Available Hardware Systems | p. 48 |
Do-It-Yourself Hardware Systems | p. 49 |
Data Storage | p. 50 |
Forensic Hardware and Software Tools | p. 51 |
Using Hardware Tools | p. 51 |
Using Software Tools | p. 51 |
Case Management | p. 52 |
The Flyaway Kit | p. 53 |
Bonus: Linux or Windows? | p. 54 |
Collecting the Evidence | |
Case Study: The Collections Agency | p. 56 |
Preparations | p. 56 |
Revelations | p. 56 |
Collecting Evidence | p. 56 |
Forensically Sound Evidence Collection | p. 57 |
Collecting Evidence from a Single System | p. 58 |
Power Down the Suspect System | p. 59 |
Remove the Drive(s) from the Suspect System | p. 59 |
Check for Other Media | p. 60 |
Record BIOS Information | p. 60 |
Forensically Image the Drive | p. 60 |
Record Cryptographic Hashes | p. 77 |
Bag and Tag | p. 78 |
Move Forward | p. 78 |
Common Mistakes in Evidence Collection | p. 80 |
Remote Investigations and Collections | p. 83 |
Privacy Issues | p. 84 |
Remote Investigations | p. 85 |
Remote Investigation Tools | p. 86 |
Remote Collections | p. 94 |
Remote Collection Tools | p. 95 |
Encrypted Volumes or Drives | p. 105 |
USB Thumb Drives | p. 107 |
Forensic Investigation Techniques | |
Case Study: Analyzing the Data | p. 110 |
Digging for Clues | p. 110 |
We're Not Done. Yet | p. 110 |
Finally | p. 110 |
Microsoft Windows Systems Analysis | p. 111 |
Windows File Systems | p. 112 |
Master Boot Record | p. 112 |
FAT File System | p. 112 |
NTFS | p. 116 |
Recovering Deleted Files | p. 117 |
Limitations | p. 127 |
Windows Artifacts | p. 129 |
Linux Analysis | p. 137 |
The Linux File System (ext2 and ext3) | p. 138 |
ext2 Structure | p. 138 |
ext3 Structure | p. 141 |
Linux Swap | p. 142 |
Linux Analysis | p. 142 |
Macintosh Analysis | p. 151 |
The Evolution of the Mac OS | p. 152 |
Looking at a Mac Disk or Image | p. 154 |
The Apple Partition Map | p. 154 |
Trees and Nodes | p. 155 |
Deleted Files | p. 157 |
Recovering Deleted Files | p. 159 |
Concatenating Unallocated Space | p. 160 |
Scavenging for Unindexed Files and Pruned Nodes | p. 161 |
A Closer Look at Macintosh Files | p. 162 |
Archives | p. 162 |
Date and Time Stamps | p. 163 |
E-mail | p. 163 |
Graphics | p. 163 |
Web Browsing | p. 163 |
Resources | p. 164 |
Virtual Memory | p. 164 |
System Log and Other System Files | p. 164 |
Mac as a Forensics Platform | p. 165 |
Defeating Anti-Forensic Techniques | p. 167 |
Obscurity Methods | p. 168 |
Privacy Measures | p. 175 |
Encryption | p. 175 |
The General Solution to Encryption | p. 180 |
Wiping | p. 181 |
Enterprise Storage Analysis | p. 185 |
The Enterprise Data Universe | p. 186 |
Rebuilding RAIDs in EnCase | p. 187 |
Rebuilding RAIDs in Linux | p. 187 |
Working with NAS Systems | p. 188 |
Working with SAN Systems | p. 188 |
Working with Tapes | p. 189 |
Accessing Raw Tapes on Windows | p. 191 |
Accessing Raw Tapes on UNIX | p. 191 |
Commercial Tools for Accessing Tapes | p. 192 |
Collecting Live Data from Windows Systems | p. 194 |
Full-Text Indexing | p. 194 |
Mail Servers | p. 197 |
E-mail Analysis | p. 201 |
Finding E-mail Artifacts | p. 202 |
Client-Based E-mail | p. 203 |
Web-Based E-mail | p. 219 |
Internet-Hosted Mail | p. 220 |
Investigating E-mail Headers | p. 226 |
Tracking User Activity | p. 231 |
Microsoft Office Forensics | p. 232 |
Tracking Web Usage | p. 241 |
Internet Explorer Forensics | p. 241 |
Mozilla/Firefox Forensics | p. 249 |
Cell Phone and PDA Analysis | p. 257 |
Gathering PDA Evidence-the Collection | p. 258 |
Acquisition with PDA Seizure | p. 260 |
Analysis with PDA Seizure | p. 263 |
Acquisition with EnCase | p. 268 |
Windows CE/Mobile Windows Acquisition with PDA Seizure | p. 270 |
Windows CE/Mobile Windows Analysis with PDA Seizure | p. 271 |
E-mail Analysis with Pocket Outlook | p. 279 |
Investigating Terminal Services in Mobile Windows | p. 283 |
Investigating MSN Messenger | p. 284 |
Passwords and Other Security Features You May Encounter | p. 285 |
Password-Protected Windows Devices | p. 286 |
Collecting Cell Phone Evidence: Using Cell Seizure | p. 286 |
Acquisition with Cell Seizure | p. 287 |
Analysis with Cell Seizure | p. 292 |
Presenting Your Findings | |
Case Study: Wrapping Up the Case | p. 296 |
He Said, She Said... | p. 296 |
Documenting the Investigation | p. 297 |
Read Me | p. 298 |
Internal Report | p. 299 |
Construction of an Internal Report | p. 300 |
Declaration | p. 302 |
Construction of a Declaration | p. 303 |
Affidavit | p. 306 |
Expert Report | p. 307 |
Construction of an Expert Report | p. 308 |
The Justice System | p. 313 |
The Criminal Court System | p. 314 |
Civil Court | p. 315 |
Investigation | p. 315 |
Filing of the Lawsuit | p. 316 |
Discovery | p. 316 |
The Trial | p. 318 |
Expert Status | p. 319 |
Expert Credentials | p. 319 |
Nontestifying Expert Consultant | p. 319 |
Testifying Expert Witness | p. 319 |
Expert for the Court | p. 320 |
Expert Interaction with the Court | p. 320 |
Appendixes | |
Forensic Forms and Checklists | p. 323 |
Understanding Legal Concerns | p. 337 |
Zubulake v. UBS Warburg | p. 338 |
Case Transcription | p. 338 |
Case Summaries | p. 348 |
The Digital Evidence Legal Process | p. 349 |
Federal Rules of Evidence: Overview | p. 350 |
Federal Rules of Evidence (FRE) | p. 350 |
General Provisions | p. 350 |
Judicial Notice | p. 352 |
Presumptions in Civil Actions and Proceedings | p. 353 |
Relevancy and its Limits | p. 353 |
Privileges | p. 354 |
Witnesses | p. 354 |
Opinions and Expert Testimony | p. 358 |
Hearsay | p. 360 |
Authentication and Identification | p. 366 |
Contents of Writings, Recordings, and Photographs | p. 369 |
Miscellaneous Rules | p. 371 |
Federal Rules of Civil Procedure: Overview | p. 372 |
Federal Rules of Civil Procedure (FRCP) | p. 373 |
Scope of Rules-One Form of Action | p. 373 |
Commencement of Action; Service of Process, Pleadings, Motions, and Orders | p. 373 |
Depositions and Discovery | p. 376 |
Trials | p. 392 |
Judgment | p. 395 |
Provisional and Final Remedies | p. 401 |
District Courts and Clerks | p. 402 |
General Provisions | p. 403 |
Searching Techniques | p. 407 |
Regular Expressions | p. 408 |
Theory and History | p. 408 |
The Building Blocks | p. 408 |
Constructing Regular Expressions | p. 409 |
The Investigator's Toolkit | p. 413 |
Forensic Toolkits | p. 414 |
Guidance Software | p. 414 |
ASR Data | p. 415 |
Paraben | p. 415 |
Access Data | p. 416 |
The Sleuth Kit | p. 417 |
Glossary | p. 419 |
Index | p. 423 |
Table of Contents provided by Ingram. All Rights Reserved. |