| |
| |
Preface | |
| |
| |
Acknowledgments | |
| |
| |
About The Author | |
| |
| |
About The Technical Editor | |
| |
| |
| |
Introduction | |
| |
| |
Introduction | |
| |
| |
What Is Forensic Science? | |
| |
| |
What Is Digital Forensics? | |
| |
| |
Uses of Digital Forensics | |
| |
| |
Criminal Investigations | |
| |
| |
Civil Litigation | |
| |
| |
Intelligence | |
| |
| |
Administrative Matters | |
| |
| |
Locard's Exchange Principle | |
| |
| |
Scientific Method | |
| |
| |
Organizations of Note | |
| |
| |
Scientific Working Group on Digital Evidence | |
| |
| |
American Academy of Forensic Sciences | |
| |
| |
American Society of Crime Laboratory Directors/Laboratory Accreditation Board | |
| |
| |
National Institute of Standards and Technology (NIST) | |
| |
| |
American Society for Testing and Materials (ASTM) | |
| |
| |
Role of the Forensic Examiner in the Judicial System | |
| |
| |
The CSI Effect | |
| |
| |
Summary | |
| |
| |
References | |
| |
| |
| |
Key Technical Concepts | |
| |
| |
Introduction | |
| |
| |
Bits, Bytes, and Numbering Schemes | |
| |
| |
Hexadecimal | |
| |
| |
Binary to Text: ASCII and Unicode | |
| |
| |
File Extensions and File Signatures | |
| |
| |
Storage and Memory | |
| |
| |
Magnetic Disks | |
| |
| |
Flash Memory | |
| |
| |
Optical Storage | |
| |
| |
Volatile versus Nonvolatile Memory | |
| |
| |
Computing Environments | |
| |
| |
Cloud Computing | |
| |
| |
Data Types | |
| |
| |
Active Data | |
| |
| |
Latent Data | |
| |
| |
Archival Data | |
| |
| |
File Systems | |
| |
| |
Allocated and Unallocated Space | |
| |
| |
Data Persistence | |
| |
| |
How Magnetic Hard Drives Store Data | |
| |
| |
Page File (or Swap Space) | |
| |
| |
Basic Computer Function-Putting it All Together | |
| |
| |
Summary | |
| |
| |
References | |
| |
| |
| |
Labs and Tools | |
| |
| |
Introduction | |
| |
| |
Forensic Laboratories | |
| |
| |
Virtual Labs | |
| |
| |
Lab Security | |
| |
| |
Evidence Storage | |
| |
| |
Policies and Procedures | |
| |
| |
Quality Assurance | |
| |
| |
Tool Validation | |
| |
| |
Documentation | |
| |
| |
Digital Forensic Tools | |
| |
| |
Tool Selection | |
| |
| |
Hardware | |
| |
| |
Software | |
| |
| |
Accreditation | |
| |
| |
Accreditation versus Certification | |
| |
| |
Summary | |
| |
| |
References | |
| |
| |
| |
Collecting Evidence | |
| |
| |
Introduction | |
| |
| |
Crime Scenes and Collecting Evidence | |
| |
| |
Removable Media | |
| |
| |
Cell Phones | |
| |
| |
Order of Volatility | |
| |
| |
Documenting the Scene | |
| |
| |
Photography | |
| |
| |
Notes | |
| |
| |
Chain of Custody | |
| |
| |
Marking Evidence | |
| |
| |
Cloning | |
| |
| |
Purpose of Cloning | |
| |
| |
The Cloning Process | |
| |
| |
Forensically Clean Media | |
| |
| |
Forensic Image Formats | |
| |
| |
Risks and Challenges | |
| |
| |
Value in eDiscovery | |
| |
| |
Live System versus Dead System | |
| |
| |
Live Acquisition Concerns | |
| |
| |
Advantage of Live Collection | |
| |
| |
Principles of Live Collection | |
| |
| |
Conducting and Documenting a Live Collection | |
| |
| |
Hashing | |
| |
| |
Types of Hashing Algorithms | |
| |
| |
Hashing Example | |
| |
| |
Uses of Hashing | |
| |
| |
Final Report | |
| |
| |
Summary | |
| |
| |
References | |
| |
| |
| |
Windows System Artifacts | |
| |
| |
Introduction | |
| |
| |
Deleted Data | |
| |
| |
Hibernation File (Hiberfile.sys) | |
| |
| |
Sleep | |
| |
| |
Hibernation | |
| |
| |
Hybrid Sleep | |
| |
| |
Registry | |
| |
| |
Registry Structure | |
| |
| |
Attribution | |
| |
| |
External Drives | |
| |
| |
Print Spooling | |
| |
| |
Recycle Bin | |
| |
| |
Metadata | |
| |
| |
Removing Metadata | |
| |
| |
Thumbnail Cache | |
| |
| |
Most Recently Used (MRU) | |
| |
| |
Restore Points and Shadow Copy | |
| |
| |
Restore Points | |
| |
| |
Shadow Copies | |
| |
| |
Prefetch | |
| |
| |
Link Files | |
| |
| |
Installed Programs | |
| |
| |
Summary | |
| |
| |
References | |
| |
| |
| |
Antiforensics | |
| |
| |
Introduction | |
| |
| |
Hiding Data | |
| |
| |
Encryption | |
| |
| |
What Is Encryption? | |
| |
| |
Early Encryption | |
| |
| |
Algorithms | |
| |
| |
Key Space | |
| |
| |
Some Common Types of Encryption | |
| |
| |
Breaking Passwords | |
| |
| |
Password Attacks | |
| |
| |
Brute Force Attacks | |
| |
| |
Password Reset | |
| |
| |
Dictionary Attack | |
| |
| |
Steganography | |
| |
| |
Data Destruction | |
| |
| |
Drive Wiping | |
| |
| |
Summary | |
| |
| |
References | |
| |
| |
| |
Legal | |
| |
| |
Introduction | |
| |
| |
The Fourth Amendment | |
| |
| |
Criminal Law-Searches without a Warrant | |
| |
| |
Reasonable Expectation of Privacy | |
| |
| |
Private Searches | |
| |
| |
E-mail | |
| |
| |
The Electronic Communications Privacy Act (ECPA) | |
| |
| |
Exceptions to the Search Warrant Requirement | |
| |
| |
Searching with a Warrant | |
| |
| |
Seize the Hardware or Just the Information? | |
| |
| |
Particularity | |
| |
| |
Establishing Need for Off-Site Analysis | |
| |
| |
Stored Communications Act | |
| |
| |
Electronic Discovery (eDiscovery) | |
| |
| |
Duty to Preserve | |
| |
| |
Private Searches in the Workplace | |
| |
| |
Expert Testimony | |
| |
| |
Summary | |
| |
| |
References | |
| |
| |
| |
Internet and E-Mail | |
| |
| |
Introduction | |
| |
| |
Internet Overview | |
| |
| |
Peer-to-Peer (P2P) | |
| |
| |
The INDEX.DAT File | |
| |
| |
Web Browsers-Internet Explorer | |
| |
| |
Cookies | |
| |
| |
Temporary Internet Files, a.k.a. web Cache | |
| |
| |
Internet History | |
| |
| |
Internet Explorer Artifacts in the Registry | |
| |
| |
Chat Clients | |
| |
| |
Internet Relay Chat (IRC) | |
| |
| |
ICQ "I Seek You" | |
| |
| |
E-Mail | |
| |
| |
Accessing E-mail | |
| |
| |
E-mail Protocols | |
| |
| |
E-mail as Evidence | |
| |
| |
E-mail-Covering the Trail | |
| |
| |
Tracing E-mail | |
| |
| |
Reading E-mail Headers | |
| |
| |
Social Networking Sites | |
| |
| |
Summary | |
| |
| |
References | |
| |
| |
| |
Network Forensics | |
| |
| |
Introduction | |
| |
| |
Social Engineering | |
| |
| |
Network Fundamentals | |
| |
| |
Network Types | |
| |
| |
Network Security Tools | |
| |
| |
Network Attacks | |
| |
| |
Incident Response | |
| |
| |
Network Evidence and Investigations | |
| |
| |
Network Investigation Challenges | |
| |
| |
Summary | |
| |
| |
References | |
| |
| |
| |
Mobile Device Forensics | |
| |
| |
Introduction | |
| |
| |
Cellular Networks | |
| |
| |
Cellular Network Components | |
| |
| |
Types of Cellular Networks | |
| |
| |
Operating Systems | |
| |
| |
Cell Phone Evidence | |
| |
| |
Call Detail Records | |
| |
| |
Collecting and Handling Cell Phone Evidence | |
| |
| |
Subscriber Identity Modules | |
| |
| |
Cell Phone Acquisition: Physical and Logical | |
| |
| |
Cell Phone Forensic Tools | |
| |
| |
Global Positioning Systems (GPS) | |
| |
| |
Summary | |
| |
| |
References | |
| |
| |
| |
Looking Ahead: Challenges and Concerns | |
| |
| |
Introduction | |
| |
| |
Standards and Controls | |
| |
| |
Cloud Forensics (Finding/Identifying Potential Evidence Stored in the Cloud) | |
| |
| |
What Is Cloud Computing? | |
| |
| |
The Benefits of the Cloud | |
| |
| |
Cloud Forensics and Legal Concerns | |
| |
| |
Solid State Drives (SSD) | |
| |
| |
How Solid State Drives Store Data | |
| |
| |
The Problem: Taking out the Trash | |
| |
| |
Speed of Change | |
| |
| |
Summary | |
| |
| |
References | |
| |
| |
Index | |