| |
| |
| Preface | |
| |
| |
| Acknowledgments | |
| |
| |
| About The Author | |
| |
| |
| About The Technical Editor | |
| |
| |
| |
| Introduction | |
| |
| |
| Introduction | |
| |
| |
| What Is Forensic Science? | |
| |
| |
| What Is Digital Forensics? | |
| |
| |
| Uses of Digital Forensics | |
| |
| |
| Criminal Investigations | |
| |
| |
| Civil Litigation | |
| |
| |
| Intelligence | |
| |
| |
| Administrative Matters | |
| |
| |
| Locard's Exchange Principle | |
| |
| |
| Scientific Method | |
| |
| |
| Organizations of Note | |
| |
| |
| Scientific Working Group on Digital Evidence | |
| |
| |
| American Academy of Forensic Sciences | |
| |
| |
| American Society of Crime Laboratory Directors/Laboratory Accreditation Board | |
| |
| |
| National Institute of Standards and Technology (NIST) | |
| |
| |
| American Society for Testing and Materials (ASTM) | |
| |
| |
| Role of the Forensic Examiner in the Judicial System | |
| |
| |
| The CSI Effect | |
| |
| |
| Summary | |
| |
| |
| References | |
| |
| |
| |
| Key Technical Concepts | |
| |
| |
| Introduction | |
| |
| |
| Bits, Bytes, and Numbering Schemes | |
| |
| |
| Hexadecimal | |
| |
| |
| Binary to Text: ASCII and Unicode | |
| |
| |
| File Extensions and File Signatures | |
| |
| |
| Storage and Memory | |
| |
| |
| Magnetic Disks | |
| |
| |
| Flash Memory | |
| |
| |
| Optical Storage | |
| |
| |
| Volatile versus Nonvolatile Memory | |
| |
| |
| Computing Environments | |
| |
| |
| Cloud Computing | |
| |
| |
| Data Types | |
| |
| |
| Active Data | |
| |
| |
| Latent Data | |
| |
| |
| Archival Data | |
| |
| |
| File Systems | |
| |
| |
| Allocated and Unallocated Space | |
| |
| |
| Data Persistence | |
| |
| |
| How Magnetic Hard Drives Store Data | |
| |
| |
| Page File (or Swap Space) | |
| |
| |
| Basic Computer Function-Putting it All Together | |
| |
| |
| Summary | |
| |
| |
| References | |
| |
| |
| |
| Labs and Tools | |
| |
| |
| Introduction | |
| |
| |
| Forensic Laboratories | |
| |
| |
| Virtual Labs | |
| |
| |
| Lab Security | |
| |
| |
| Evidence Storage | |
| |
| |
| Policies and Procedures | |
| |
| |
| Quality Assurance | |
| |
| |
| Tool Validation | |
| |
| |
| Documentation | |
| |
| |
| Digital Forensic Tools | |
| |
| |
| Tool Selection | |
| |
| |
| Hardware | |
| |
| |
| Software | |
| |
| |
| Accreditation | |
| |
| |
| Accreditation versus Certification | |
| |
| |
| Summary | |
| |
| |
| References | |
| |
| |
| |
| Collecting Evidence | |
| |
| |
| Introduction | |
| |
| |
| Crime Scenes and Collecting Evidence | |
| |
| |
| Removable Media | |
| |
| |
| Cell Phones | |
| |
| |
| Order of Volatility | |
| |
| |
| Documenting the Scene | |
| |
| |
| Photography | |
| |
| |
| Notes | |
| |
| |
| Chain of Custody | |
| |
| |
| Marking Evidence | |
| |
| |
| Cloning | |
| |
| |
| Purpose of Cloning | |
| |
| |
| The Cloning Process | |
| |
| |
| Forensically Clean Media | |
| |
| |
| Forensic Image Formats | |
| |
| |
| Risks and Challenges | |
| |
| |
| Value in eDiscovery | |
| |
| |
| Live System versus Dead System | |
| |
| |
| Live Acquisition Concerns | |
| |
| |
| Advantage of Live Collection | |
| |
| |
| Principles of Live Collection | |
| |
| |
| Conducting and Documenting a Live Collection | |
| |
| |
| Hashing | |
| |
| |
| Types of Hashing Algorithms | |
| |
| |
| Hashing Example | |
| |
| |
| Uses of Hashing | |
| |
| |
| Final Report | |
| |
| |
| Summary | |
| |
| |
| References | |
| |
| |
| |
| Windows System Artifacts | |
| |
| |
| Introduction | |
| |
| |
| Deleted Data | |
| |
| |
| Hibernation File (Hiberfile.sys) | |
| |
| |
| Sleep | |
| |
| |
| Hibernation | |
| |
| |
| Hybrid Sleep | |
| |
| |
| Registry | |
| |
| |
| Registry Structure | |
| |
| |
| Attribution | |
| |
| |
| External Drives | |
| |
| |
| Print Spooling | |
| |
| |
| Recycle Bin | |
| |
| |
| Metadata | |
| |
| |
| Removing Metadata | |
| |
| |
| Thumbnail Cache | |
| |
| |
| Most Recently Used (MRU) | |
| |
| |
| Restore Points and Shadow Copy | |
| |
| |
| Restore Points | |
| |
| |
| Shadow Copies | |
| |
| |
| Prefetch | |
| |
| |
| Link Files | |
| |
| |
| Installed Programs | |
| |
| |
| Summary | |
| |
| |
| References | |
| |
| |
| |
| Antiforensics | |
| |
| |
| Introduction | |
| |
| |
| Hiding Data | |
| |
| |
| Encryption | |
| |
| |
| What Is Encryption? | |
| |
| |
| Early Encryption | |
| |
| |
| Algorithms | |
| |
| |
| Key Space | |
| |
| |
| Some Common Types of Encryption | |
| |
| |
| Breaking Passwords | |
| |
| |
| Password Attacks | |
| |
| |
| Brute Force Attacks | |
| |
| |
| Password Reset | |
| |
| |
| Dictionary Attack | |
| |
| |
| Steganography | |
| |
| |
| Data Destruction | |
| |
| |
| Drive Wiping | |
| |
| |
| Summary | |
| |
| |
| References | |
| |
| |
| |
| Legal | |
| |
| |
| Introduction | |
| |
| |
| The Fourth Amendment | |
| |
| |
| Criminal Law-Searches without a Warrant | |
| |
| |
| Reasonable Expectation of Privacy | |
| |
| |
| Private Searches | |
| |
| |
| E-mail | |
| |
| |
| The Electronic Communications Privacy Act (ECPA) | |
| |
| |
| Exceptions to the Search Warrant Requirement | |
| |
| |
| Searching with a Warrant | |
| |
| |
| Seize the Hardware or Just the Information? | |
| |
| |
| Particularity | |
| |
| |
| Establishing Need for Off-Site Analysis | |
| |
| |
| Stored Communications Act | |
| |
| |
| Electronic Discovery (eDiscovery) | |
| |
| |
| Duty to Preserve | |
| |
| |
| Private Searches in the Workplace | |
| |
| |
| Expert Testimony | |
| |
| |
| Summary | |
| |
| |
| References | |
| |
| |
| |
| Internet and E-Mail | |
| |
| |
| Introduction | |
| |
| |
| Internet Overview | |
| |
| |
| Peer-to-Peer (P2P) | |
| |
| |
| The INDEX.DAT File | |
| |
| |
| Web Browsers-Internet Explorer | |
| |
| |
| Cookies | |
| |
| |
| Temporary Internet Files, a.k.a. web Cache | |
| |
| |
| Internet History | |
| |
| |
| Internet Explorer Artifacts in the Registry | |
| |
| |
| Chat Clients | |
| |
| |
| Internet Relay Chat (IRC) | |
| |
| |
| ICQ "I Seek You" | |
| |
| |
| E-Mail | |
| |
| |
| Accessing E-mail | |
| |
| |
| E-mail Protocols | |
| |
| |
| E-mail as Evidence | |
| |
| |
| E-mail-Covering the Trail | |
| |
| |
| Tracing E-mail | |
| |
| |
| Reading E-mail Headers | |
| |
| |
| Social Networking Sites | |
| |
| |
| Summary | |
| |
| |
| References | |
| |
| |
| |
| Network Forensics | |
| |
| |
| Introduction | |
| |
| |
| Social Engineering | |
| |
| |
| Network Fundamentals | |
| |
| |
| Network Types | |
| |
| |
| Network Security Tools | |
| |
| |
| Network Attacks | |
| |
| |
| Incident Response | |
| |
| |
| Network Evidence and Investigations | |
| |
| |
| Network Investigation Challenges | |
| |
| |
| Summary | |
| |
| |
| References | |
| |
| |
| |
| Mobile Device Forensics | |
| |
| |
| Introduction | |
| |
| |
| Cellular Networks | |
| |
| |
| Cellular Network Components | |
| |
| |
| Types of Cellular Networks | |
| |
| |
| Operating Systems | |
| |
| |
| Cell Phone Evidence | |
| |
| |
| Call Detail Records | |
| |
| |
| Collecting and Handling Cell Phone Evidence | |
| |
| |
| Subscriber Identity Modules | |
| |
| |
| Cell Phone Acquisition: Physical and Logical | |
| |
| |
| Cell Phone Forensic Tools | |
| |
| |
| Global Positioning Systems (GPS) | |
| |
| |
| Summary | |
| |
| |
| References | |
| |
| |
| |
| Looking Ahead: Challenges and Concerns | |
| |
| |
| Introduction | |
| |
| |
| Standards and Controls | |
| |
| |
| Cloud Forensics (Finding/Identifying Potential Evidence Stored in the Cloud) | |
| |
| |
| What Is Cloud Computing? | |
| |
| |
| The Benefits of the Cloud | |
| |
| |
| Cloud Forensics and Legal Concerns | |
| |
| |
| Solid State Drives (SSD) | |
| |
| |
| How Solid State Drives Store Data | |
| |
| |
| The Problem: Taking out the Trash | |
| |
| |
| Speed of Change | |
| |
| |
| Summary | |
| |
| |
| References | |
| |
| |
| Index | |