ISSA INFORMATION SYSTEMS SECURITY & ASSURANCE SERIES
Fundamentals of Communications and Networking, Second Edition Michael G. Solomon and David Kim
Fundamentals of Information Systems Security, Third Edition David Kim and Michael G. Solomon
Legal Issues in Information Security, Second Edition Joanna Lyn Grama
Managing Risk in Information Systems, Second Edition Darril Gibson
Security Policies and Implementation Issues, Second Edition Rob Johnson
Auditing IT Infrastructures for Compliance, Second Edition Martin Weiss and Michael G. Solomon
Access Control, Authentication, and Public Key Infrastructure, Second Edition Mike Chapple, Bill Ballad, Tricia Ballad, and Erin Banks
Security Strategies in Windows Platforms and Applications, Second Edition
Michael G. Solomon
Security Strategies in Linux Platforms and Applications, Second Edition Michael Jang and Ric Messier
Network Security, Firewalls, and VPNs, Second Edition J. Michael Stewart
Hacker Techniques, Tools, and Incident Handling, Second Edition Sean-Philip Oriyano
Internet Security: How to Defend Against Attackers on the Web, Second Edition Mike Harwood
System Forensics, Investigation, and Response, Third Edition Chuck Easttom
Cyberwarfare: Information Operations in a Connected World Mike Chapple and David Seidl
Wireless and Mobile Device Security Jim Doherty
JONES & BARTLETT LEARNING
The Information Systems Security & Assurance Series (ISSA) offers an interactive curriculum solution that covers the essential topics needed to support certification or degree programs within IT Security, Cybersecurity, Information
Assurance and Information Systems Security. Developed by certified professionals, the series delivers fundamental IT security principles and real-world applications, tools, and techniques used in today’s work force and necessary for accommodating the rapidly growing job demand for cybersecurity. The inclusion of robust courseware and innovative labs, delivered in a first-of-its kind “cloud” computing environment, offer a fully immersive cloud learning experience. Students can learn in a trial-and- error format in an experiential learning environment with no risk, gaining invaluable workplace-related skills essential to maintaining the security and confidentiality of their employers’ data assets. Visit http://www.issaseries.com/ for the most current information on text availability and additional information on the Virtual Security Cloud Labs.
http://www.issaseries.com/
System Forensics, Investigation, and Response
ISSA INFORMATION SYSTEMS SECURITY & ASSURANCE SERIES
THIRD EDITION
Chuck Easttom
JONES & BARTLETT LEARNING
World Headquarters Jones & Bartlett Learning 5 Wall Street Burlington, MA 01803 978-443-5000 info@jblearning.com www.jblearning.com
Jones & Bartlett Learning books and products are available through most bookstores and online booksellers. To contact Jones & Bartlett Learning directly, call 800-832-0034, fax 978-443-8000, or visit our website, www.jblearning.com.
Substantial discounts on bulk quantities of Jones & Bartlett Learning publications are available to corporations, professional associations, and other qualified organizations. For details and specific discount information, contact the special sales department at Jones & Bartlett Learning via the above contact information or send an email to specialsales@jblearning.com.
Copyright © 2019 by Jones & Bartlett Learning, LLC, an Ascend Learning Company
All rights reserved. No part of the material protected by this copyright may be reproduced or utilized in any form, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the copyright owner.
mailto:info@jblearning.com
http://www.jblearning.com
http://www.jblearning.com
mailto:specialsales@jblearning.com
The content, statements, views, and opinions herein are the sole expression of the respective authors and not that of Jones & Bartlett Learning, LLC. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise does not constitute or imply its endorsement or recommendation by Jones & Bartlett Learning, LLC and such reference shall not be used for advertising or product endorsement purposes. All trademarks displayed are the trademarks of the parties noted herein. System Forensics, Investigation, and Response, Third Edition is an independent publication and has not been authorized, sponsored, or otherwise approved by the owners of the trademarks or service marks referenced in this product.
There may be images in this book that feature models; these models do not necessarily endorse, represent, or participate in the activities represented in the images. Any screenshots in this product are for educational and instructive purposes only. Any individuals and scenarios featured in the case studies throughout this product may be real or fictitious, but are used for instructional purposes only.
This publication is designed to provide accurate and authoritative information in regard to the Subject Matter covered. It is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional service. If legal
advice or other expert assistance is required, the service of a competent professional person should be sought.
Production Credits VP, Executive Publisher: David D. Cella Executive Editor: Matt Kane Acquisitions Editor: Laura Pagluica Editorial Assistant: Mary Menzemer Associate Production Editor: Alex Schab Director of Marketing: Andrea DeFronzo Production Services Manager: Colleen Lamy VP, Manufacturing and Inventory Control: Therese Connell Composition: codeMantra U.S. LLC Cover Design: Scott Moden Rights & Media Specialist: Thais Miller Media Development Editor: Shannon Sheehan Cover Image (Title Page, Part Opener, Chapter Opener): © Click Bestsellers/Shutterstock Printing and Binding: Edwards Brothers Malloy Cover Printing: Edwards Brothers Malloy
Library of Congress Cataloging-in-Publication Data Names: Easttom, Chuck, author. Title: System forensics, investigation, and response / Chuck Easttom. Description: Third Edition. | Burlington, MA : Jones & Bartlett Learning, [2019] | Revised edition of the author’s System forensics, investigation, and response, c2014. Identifiers: LCCN 2017018109 | ISBN
9781284121841 Subjects: LCSH: Computer crimes—Investigation— Textbooks. Classification: LCC HV8079.C65 E37 2017 | DDC 363.25/968—dc23 LC record available at https://lccn.loc.gov/2017018109
6048
Printed in the United States of America 21 20 19 18 17 10 9 8 7 6 5 4 3 2 1
https://lccn.loc.gov/2017018109
Contents Preface
About the Author
PART I Introduction to Forensics
CHAPTER 1 Introduction to Forensics What Is Computer Forensics?
Using Scientific Knowledge
Collecting
Analyzing
Presenting
Understanding the Field of Digital Forensics
What Is Digital Evidence?
Scope-Related Challenges to System
Forensics
Types of Digital System Forensics
Analysis
General Guidelines
Knowledge Needed for Computer Forensics Analysis
Hardware
Software
Networks
Addresses
Obscured Information and Anti-Forensics
The Daubert Standard
U.S. Laws Affecting Digital Forensics
The Federal Privacy Act of 1974
The Privacy Protection Act of 1980
The Communications Assistance for Law
Enforcement Act of 1994
The Electronic Communications Privacy
Act of 1986
The Computer Security Act of 1987
The Foreign Intelligence Surveillance Act
of 1978
The Child Protection and Sexual Predator
Punishment Act of 1998
The Children’s Online Privacy Protection
Act of 1998
The Communications Decency Act of 1996
The Telecommunications Act of 1996
The Wireless Communications and Public
Safety Act of 1999
The USA Patriot Act of 2001
The Sarbanes-Oxley Act of 2002
18 U.S.C. § 1030: Fraud and Related
Activity in Connection with Computers
18 U.S.C. § 1020: Fraud and Related
Activity in Connection with Access Devices
The Digital Millennium Copyright Act
(DMCA) of 1998
18 U.S.C. § 1028A: Identity Theft and
Aggravated Identity Theft
18 U.S.C. § 2251: Sexual Exploitation of
Children
Warrants
Federal Guidelines
The FBI
The Secret Service
The Regional Computer Forensics
Laboratory Program
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 1 ASSESSMENT
CHAPTER 2 Overview of Computer Crime
How Computer Crime Affects Forensics
Identity Theft
Phishing
Spyware
Discarded Information
How Does This Crime Affect Forensics?
Hacking
SQL Injection
Cross-Site Scripting
Ophcrack
Tricking Tech Support
Hacking in General
Cyberstalking and Harassment
Real Cyberstalking Cases
Fraud
Investment Offers
Data Piracy
Non-Access Computer Crimes
Denial of Service
Viruses
Logic Bombs
Cyberterrorism
How Does This Crime Affect Forensics?
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 2 ASSESSMENT
CHAPTER 3 Forensic Methods and Labs
Forensic Methodologies
Handle Original Data as Little as Possible
Comply with the Rules of Evidence
Avoid Exceeding Your Knowledge
Create an Analysis Plan
Technical Information Collection
Considerations
Formal Forensic Approaches
Department of Defense Forensic
Standards
The Digital Forensic Research Workshop
Framework
The Scientific Working Group on Digital
Evidence Framework
An Event-Based Digital Forensics
Investigation Framework
Documentation of Methodologies and Findings
Disk Structure
File Slack Searching
Evidence-Handling Tasks
Evidence-Gathering Measures
Expert Reports
How to Set Up a Forensic Lab
Equipment
Security
American Society of Crime Laboratory
Directors
Common Forensic Software Programs
EnCase
Forensic Toolkit
OSForensics
Helix
Kali Linux
AnaDisk Disk Analysis Tool
CopyQM Plus Disk Duplication Software
The Sleuth Kit
Disk Investigator
Forensic Certifications
EnCase Certified Examiner Certification
AccessData Certified Examiner
OSForensics
Certified Cyber Forensics Professional
EC Council Computer Hacking Forensic
Investigator
High Tech Crime Network Certifications
Global Information Assurance Certification
Certifications
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 3 ASSESSMENT
PART II Technical Overview: System Forensics Tools, Techniques, and Methods
CHAPTER 4 Collecting, Seizing, and Protecting Evidence Proper Procedure
Shutting Down the Computer
Transporting the Computer System to a
Secure Location
Preparing the System
Documenting the Hardware Configuration
of the System
Mathematically Authenticating Data on All
Storage Devices
Handling Evidence
Collecting Data
Documenting Filenames, Dates, and Times
Identifying File, Program, and Storage
Anomalies
Evidence-Gathering Measures
Storage Formats
Magnetic Media
Solid-State Drives
Digital Audio Tape Drives
Digital Linear Tape and Super DLT
Optical Media
Using USB Drives
File Formats
Forensic Imaging
Imaging with EnCase
Imaging with the Forensic Toolkit
Imaging with OSForensics
RAID Acquisitions
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 4 ASSESSMENT
CHAPTER LAB
CHAPTER 5 Understanding Techniques for Hiding and Scrambling Information Steganography
Historical Steganography
Steganophony
Video Steganography
More Advanced Steganography
Steganalysis
Invisible Secrets
MP3Stego
Additional Resources
Encryption
The History of Encryption
Modern Cryptography
Breaking Encryption
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 5 ASSESSMENT
CHAPTER 6 Recovering Data Undeleting Data
File Systems and Hard Drives
Windows
Forensically Scrubbing a File or Folder
Linux
Macintosh
Recovering Information from Damaged Media
Physical Damage Recovery Techniques
Recovering Data After Logical Damage
File Carving
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 6 ASSESSMENT
CHAPTER 7 Email Forensics
How Email Works
Email Protocols
Faking Email
Email Headers
Getting Headers in Outlook
Getting Headers from Yahoo! Email
Getting Headers from Gmail
Other Email Clients
Email Files
Paraben’s Email Examiner
ReadPST
Tracing Email
Email Server Forensics
Email and the Law
The Fourth Amendment to the U.S.
Constitution
The Electronic Communications Privacy
Act
The CAN-SPAM Act
18 U.S.C. 2252B
The Communication Assistance to Law
Enforcement Act
The Foreign Intelligence Surveillance Act
The USA Patriot Act
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 7 ASSESSMENT
CHAPTER 8 Windows Forensics
Windows Details
Windows History
64-Bit
The Boot Process
Important Files
Volatile Data
Tools
Windows Swap File
Windows Logs
Windows Directories
UserAssist
Unallocated/Slack Space
Alternate Data Streams
Index.dat
Windows Files and Permissions
MAC
The Registry
USB Information
Wireless Networks
Tracking Word Documents in the Registry
Malware in the Registry
Uninstalled Software
Passwords
ShellBag
Prefetch
Volume Shadow Copy
Memory Forensics
Volatility
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 8 ASSESSMENT
CHAPTER 9 Linux Forensics
Linux and Forensics
Linux Basics
Linux History
Linux Shells
Graphical User Interface
K Desktop Environment (KDE)/Plasma
Linux Boot Process
Logical Volume Manager
Linux Distributions
Linux File Systems
Ext
The Reiser File System
The Berkeley Fast File System
Linux Logs
The /var/log/faillog Log
The /var/log/kern.log Log
The /var/log/lpr.log Log
The /var/log/mail.* Log
The /var/log/mysql.* Log
The /var/log/apache2/* Log
The /var/log/lighttpd/* Log
The /var/log/apport.log Log
Other Logs
Viewing Logs
Linux Directories
The /root Directory
The /bin Directory
The /sbin Directory
The /etc Folder
The /etc/inittab File
The /dev Directory
The /mnt Directory
The /boot Directory
The /usr Directory
The /var Directory
The /var/spool Directory
The /proc Directory
Shell Commands for Forensics
The Command
The Command
The Command
The Command
The Command
The Command
The Command
The Command
The Command
The Command
The Command
The Command
The Command
The Command
The Command
The Command
Can You Undelete in Linux?
Manual Method
Kali Linux Forensics
Forensics Tools for Linux
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 9 ASSESSMENT
CHAPTER 10 Macintosh Forensics
Mac Basics
Mac History
Mac File Systems
Partition Types
Macintosh Logs
The /var/log Log
The /var/spool/cups Folder
The /Library/Receipts Folder
The /Users//.bash_history Log
The /var/vm Folder
The /Users/ Directory
The /Users//Library/Preferences/
Folder
Directories
The /Volumes Directory
The /Users Directory
The /Applications Directory
The /Network Directory
The /etc Directory
The
/Library/Preferences/SystemConfiguration/dom.apple.preferences.plist
File
Macintosh Forensic Techniques
Target Disk Mode
Searching Virtual Memory
Shell Commands
How to Examine a Mac
Can You Undelete in Mac?
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 10 ASSESSMENT
CHAPTER 11 Mobile Forensics
Cellular Device Concepts
Terms
Operating Systems
The BlackBerry
What Evidence You Can Get from a Cell Phone
Types of Investigations
Phone states
Seizing Evidence from a Mobile Device
The iPhone
BlackBerry
JTAG
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 11 ASSESSMENT
CHAPTER 12 Performing Network Analysis Network Packet Analysis
Network Packets
Network Attacks
Network Traffic Analysis Tools
Network Traffic Analysis
Using Log Files as Evidence
Wireless
Router Forensics
Router Basics
Types of Router Attacks
Getting Evidence from the Router
Firewall Forensics
Firewall Basics
Collecting Data
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 12 ASSESSMENT
PART III Incident Response and Resources
CHAPTER 13 Incident and Intrusion Response Disaster Recovery
Incident Response Plan
Incident Response
Preserving Evidence
Adding Forensics to Incident Response
Forensic Resources
Forensics and Policy
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 13 ASSESSMENT
CHAPTER 14 Trends and Future Directions Technical Trends
What Impact Does This Have on
Forensics?
Software as a Service
The Cloud
What Impact Does Cloud Computing Have
on Forensics?
Legal and Procedural Trends
Changes in the Law
The USA Patriot Act
Private Labs
International Issues
Techniques
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 14 ASSESSMENT
CHAPTER 15 System Forensics Resources
Tools to Use
ASR Data Acquisition & Analysis
AccessData Forensic Toolkit
OSForensics
ComputerCOP
Digital Detective
Digital Intelligence
Disk Investigator
EnCase
X-Ways Software Technology AG
Other Tools
Resources
International Association of Computer
Investigative Specialists
EnCase Certified Examiner Certification
AccessData Certified Examiner
Certified Hacking Forensic Investigator
Certified Cyber Forensics Professional
SANS Institute
American Academy of Forensic Sciences
Websites
Journals
Conferences
Laws
The USA Patriot Act
The Electronic Communications Privacy
Act of 1986
The Communications Assistance to Law
Enforcement Act of 1996
The Health Insurance Portability and
Accountability Act of 1996
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 15 ASSESSMENT
APPENDIX A Answer Key
APPENDIX B Standard Acronyms
Glossary of Key Terms
References
Index
Preface Purpose of This Book This book is part of the Information Systems Security & Assurance Series from Jones & Bartlett Learning (www.jblearning.com). Designed for courses and curriculums in IT Security, Cybersecurity, Information Assurance, and Information Systems Security, this series features a comprehensive, consistent treatment of the most current thinking and trends in this critical subject area. These titles deliver fundamental information security principles packed with real-world applications and examples. Authored by Certified Information Systems Security Professionals, they deliver comprehensive information on all aspects of information security. Reviewed word-for-word by leading technical experts in the field, these books are not just current, but forward-thinking—putting you in the position to solve the cybersecurity challenges not just of today, but of tomorrow as well.
Computer crimes call for forensics specialists— people who know how to find and follow the
http://www.jblearning.com
evidence. But even aside from criminal investigations, incident response requires forensic skills. This book begins by examining the fundamentals of system forensics: what forensics is, an overview of computer crime, the challenges of system forensics, and forensics methods and labs. The second part of this book addresses the tools, techniques, and methods used to perform computer forensics and investigation. These include collecting evidence, investigating information hiding, recovering data, and scrutinizing email. It also discusses how to perform forensics in the Windows, Linux, and Macintosh operating systems; on mobile devices; and on networks. Finally, the third part explores incident and intrusion response, emerging technologies and future directions of this field, and additional system forensics resources.
Learning Features The writing style of this book is practical and conversational. Each chapter begins with a statement of learning objectives. Step-by-step examples of information security concepts and procedures are presented throughout the text. Illustrations are used both to clarify the material and to vary the presentation. The text is sprinkled with Notes, Tips, FYIs, Warnings, and sidebars to alert the reader to additional helpful information related to the subject under discussion. Chapter assessments appear at the end of each chapter, with solutions provided in the back of the book.
Chapter summaries are included in the text to provide a rapid review or preview of the material and to help students understand the relative importance of the concepts presented.
Audience The material is suitable for undergraduate or graduate computer science majors or information science majors, students at a 2-year technical college or community college who have a basic technical background, or readers who have a basic understanding of IT security and want to expand their knowledge.
This book is dedicated to all the forensic analysts who work diligently to extract the evidence necessary to find the truth in criminal and civil cases.
About the Author Chuck Easttom is an internationally renowned computer security expert and trainer. He has been in the IT industry for more than 25 years and has been training for more than 15. He routinely conducts computer security and forensics training for civilian companies, law enforcement, government agencies, and friendly foreign governments. He holds more than 40 industry certifications, including several forensics certifications such as: Certified Cyber Forensics Professional (CCFP), Certified Hacking Forensic Investigator (CHFI), Certified Criminal Investigator (CCI), Access Certified Examiner (ACE), Oxygen Certified Examiner, Certified Forensic Consultant (CFC), and others. He has served as an expert witness in U.S. court cases since 2004, and has extensive courtroom experience. He also has extensive hands-on experience conducting forensic examinations as part of both criminal investigations and incident response.
Chuck created the OSForensics certification (OSFCE) course and test. He is an associate member of the American Academy of Forensics. Chuck is a frequent speaker at universities and conferences. He has been a speaker at Columbia University’s ACM Chapter, Harvard Computer Society, (ISC) Security Congress, SecureWorld, Hakon India, Hakon Africa, Defcon, Enfuse, IAFLS, AAFS, ADFSL, and many other conferences. You can visit the author’s website at www.chuckeasttom.com.
2
http://www.chuckeasttom.com
PART I: Introduction to Forensics
CHAPTER 1 Introduction to Forensics
CHAPTER 2 Overview of Computer Crime
CHAPTER 3 Forensic Methods and Labs
T CHAPTER 1: Introduction to Forensics
HIS CHAPTER INTRODUCES YOU TO THE FIELD of computer forensics. That means it will cover some legal issues, the basic
concepts of the forensic process, and a review of the basic computer and networking knowledge you will need.
Chapter 1 Topics This chapter covers the following topics and concepts:
What computer forensics is
What you need to know about the field of digital forensics
What you need to know for computer forensics analysis
What the Daubert standard is
What the relevant laws are
What the federal guidelines are
Chapter 1 Goals When you complete this chapter, you will be able to:
Understand the basic concepts of forensics
Maintain the chain of custody
Understand basic hardware and networking knowledge needed for forensics
Know the basic laws related to computer forensics
What Is Computer Forensics? Before you can answer the question, “What is computer forensics?” you should address the question, “What is forensics?” The American Heritage Dictionary defines forensics as “the use of science and technology to investigate and establish facts in criminal or civil courts of law.”
Essentially, forensics is the use of science to process evidence so you can establish the facts of a case. The individual case being examined could be criminal or civil, but the process is the same. The evidence has to be examined and processed in a consistent scientific manner. This is to ensure that the evidence is not accidentally altered and that appropriate conclusions are derived from that evidence.
You have probably seen some crime drama wherein forensic techniques were a part of the investigative process. In such dramas, a bullet is found and forensics is used to determine the gun that fired the bullet. Or, perhaps a drop of blood is found and forensics is used to match the DNA to a suspect. These are all valid aspects of forensics. However, our modern world is full of electronic devices with the capacity to store data. The extraction of that data in a consistent scientific manner is the subject of computer forensics.
The Computer Emergency Response Team (CERT) defines computer forensics in this manner:
Forensics is the process of using scientific knowledge for collecting, analyzing, and presenting evidence to the courts.… Forensics deals primarily with the recovery and analysis of latent evidence. Latent evidence can take many forms, from fingerprints left on a window to DNA evidence recovered from blood stains to the files on a hard drive.
According to the website Computer Forensics World:
Generally, computer forensics is considered to be the use of analytical and investigative techniques to identify, collect, examine and preserve evidence/information which is magnetically stored or encoded.
The objective in computer forensics is to recover, analyze, and present computer-based material in such a way that it can be used as evidence in a court of law. In computer forensics, as in any other branch of forensic science, the emphasis must be on the integrity and security of evidence. A forensic specialist must adhere to stringent guidelines and avoid taking shortcuts.
Any device that can store data is potentially the subject of computer forensics. Obviously, that includes devices such as network servers, personal computers, and laptops.
It must be noted that computer forensics has expanded. The topic now includes cell phone forensics, router forensics, global positioning system
(GPS) device forensics, tablet forensics, and forensics of many other devices. The term digital forensics is a more encompassing term that includes all of these devices. Regardless of the term you use, the goal is the same: to apply solid scientific methodologies to a device in order to extract evidence for use in a court proceeding.
Although the subject of computer forensics, as well as the tools and techniques used, is significantly different from traditional forensics—like DNA analysis and bullet examination—the goal is the same: to obtain evidence that can be used in some legal proceeding. Computer forensics applies to all the domains of a typical IT infrastructure, from the User Domain and Remote Access Domain to the Wide Area Network (WAN) Domain and Internet Domain (see FIGURE 1-1).
FIGURE 1-1 The seven domains of a typical IT infrastructure.
Consider some elements of the preceding definitions. In particular, let’s look at this sentence: “Forensics is the process of using scientific knowledge for collecting, analyzing, and presenting evidence to the courts.” Each portion of this is critical, and the following sections of this chapter examine each one individually.
Using Scientific Knowledge
First and foremost, computer forensics is a science. This is not a process based on your “gut feelings” or personal whim. It is important to understand and apply scientific methods and processes. It is also important that you have knowledge of the relevant scientific disciplines. That also means you must have scientific knowledge of the field. Computer forensics begins with a thorough understanding of computer hardware. Then you need to understand the operating system running on that device; even smartphones and routers have operating systems. You must also understand at least the basics of computer networks.
If you attempt to master forensics without this basic knowledge, you are not likely to be successful. Now if you find yourself starting in on a course and are not sure if you have the requisite knowledge, don’t panic. First, you simply need a basic knowledge of computers and computer networks. If you have taken a couple of basic computer courses at a college or perhaps the CompTIA A+ certification, you have the baseline knowledge. Also, you will get a review of some basic concepts in this chapter.
However, the more you know about computers and networks, the better you will be at computer forensics. There is no such thing as “knowing too much.” Even though some technical details change quickly, such as the capacity and materials of hard disks, other details change very slowly, if at all, such as the various file systems, the role of volatile and nonvolatile memory, and the fact that criminals take
advantage of the advancements in computer and digital technology to improve their lives as much as the businessman, student, or homeowner. A great deal of information is stored in computers. Keep learning what is there, where it is stored, and how that information may be used by computer user and computer criminal alike.
Collecting Before you can do any forensic analysis or examination, you have to collect the evidence. There are very specific procedures for properly collecting evidence. You will be introduced to some general guidelines later in this chapter. The important thing to realize for now is that how you collect the evidence determines if that evidence is admissible in a court.
Analyzing This is one of the most time-consuming parts of a forensic investigation, and it can be the most challenging. Once you have collected the data, what does it mean? The real difference between a mediocre investigator and a star investigator is the analysis. The data is there, but do you know what it means? This is also related to your level of scientific knowledge. If you don’t know enough, you may not see the significance of the data you have.
You also have to be able to solve puzzles. That is, in essence, what any forensic investigation is. It is solving a complex puzzle—putting together the data you have and finding out what sort of picture is
revealed. You might try to approach a forensic investigation like Sherlock Holmes. Look at every detail. What does it mean? Before you jump to a conclusion, how much evidence do you have to support that conclusion? Are there alternatives and, in fact, better explanations for the data?
Presenting Once you have finished your investigation, done your analysis, and obeyed all the rules and guidelines, you still have one more step. You will have to present that evidence in one form or another. The two most basic forms are the expert report and expert testimony. In either case, it will be your job to interpret the arcane and seemingly impenetrable technical information using plain English that paints an accurate picture for the court. You must not use jargon and technobabble. Your clear use of language, and potentially graphics and demonstrations, if needed, may be the difference between a big win and a lost case. So you should take a quick look at each of these.
WARNING
Court procedures vary from jurisdiction to jurisdiction, but in most cases an expert cannot directly testify about anything not in his or her expert report. That is why it is critical to be thorough and to put into the
report anything you feel might be pertinent to the case. In your work as an expert witness, you will often find additional items in an investigation—items that are peripheral to the main case. If you put those in your report, however, you will be able to testify about them at trial.
The Expert Report An expert report is a formal document that lists what tests you conducted, what you found, and your conclusions. It also includes your curriculum vitae (CV), which is like a résumé, only much more thorough and specific to your work experience as a forensic investigator. Specific rules will vary from court to court, but as a general rule, if you don’t put it in your report, you cannot testify about it at trial. So you need to make very certain that your report is thorough. Put in every single test you used, every single thing you found, and your conclusions. Expert reports tend to be rather long.
It is also important to back up your conclusions. As a general rule, it’s good to have at least two to three references for every conclusion. In other words, in addition to your own opinion, you want to have a few reputable references that either agree with that conclusion or provide support for how you came to that conclusion. This way, it is not just your expert opinion, but it is supported by other reputable sources. Make sure you use reputable sources; for
example, CERT, the Federal Bureau of Investigation (FBI), the Secret Service, and the Cornell University Law School are all very reputable sources.
The reason for this is that in every legal case there are two sides. The opposing side will have an attorney and perhaps its own expert. The opposing attorney will want to pick apart every opinion and conclusion you have. If there is an opposing expert, he or she will be looking for alternative interpretations of the data or flaws in your method. You have to make sure you have fully supported your conclusions.
It should be noted that the length and level of detail found in reports varies. In many cases, criminal courts won’t require a formal expert report, but rather a statement from the attorney as to who you are and what topics you intend to testify about. You will need to produce a report of your forensic examination. In civil court, particularly in intellectual property cases, the expert report is far more lengthy and far more detailed. In my own experience, reports of 100, 200, or more pages are common. The largest I have seen yet was over 1500 pages long.
Although not all cases will involve a full, detailed expert report, many will, particularly intellectual property cases. There are few legal guidelines on expert report writing, but a few issues have become clear in my experience.
Expert reports generally start with the expert’s qualifications. This should be a complete curriculum
vitae detailing education, work history, and publications. Particular attention should be paid to elements of the expert’s history that are directly related to the case at hand. Then the report moves on to the actual topic at hand. An expert report is a very thorough document. It must first detail exactly what analysis was used. How did the expert conduct his or her examination and analysis? In the case of computer forensics, the expert report should detail what tools the expert used, what the results were, and the conditions of the tests conducted. Also, any claim an expert makes in a report should be supported by extrinsic reputable sources. This is sometimes overlooked by experts because they themselves are sources who are used, or because the claim being made seems obvious to them. For example, if an expert report needs to detail how domain name service (DNS) works in order to describe a DNS poisoning attack, then there should be references to recognized authoritative works regarding the details of domain name service. If they are not included, at trial a creative attorney can often extract nontraditional meanings from even commonly understood terms.
The next issue with an expert report is its completeness. The report must cover every item the expert wishes to opine on, and in detail. Nothing can be assumed. In some jurisdictions, if an item is not in the expert report, then the expert is not allowed to discuss it during testimony. Whether or not that is the case in your jurisdiction, it is imperative that the expert report you submit is very thorough and
complete. And of course, it must be error-free. Even the smallest error can give opposing counsel an opportunity to impugn the accuracy of the entire report and the expert’s entire testimony. This is a document that should be carefully proofread by the expert and by the attorney retaining the expert.
Expert Testimony As a forensic specialist, you will testify as an expert witness, that is, on the basis of scientific or technical knowledge you have that is relevant to a case, rather than on the basis of direct personal experience. Your testimony will be referred to as expert testimony, and there are two scenarios in which you give it: a deposition and a trial. A deposition—testimony taken from a witness or party to a case before a trial—is less formal, and is typically held in an attorney’s office. The other side’s lawyer gets to ask you questions. In fact, the lawyer can even ask some questions that would probably be disallowed by a trial judge. But do remember, this is still sworn testimony, and lying under oath is perjury, which is a felony.
U.S. Federal Rule 702, Testimony by Expert Witnesses, defines what an expert is and what expert testimony is:
A witness who is qualified as an expert by knowledge, skill, experience, training, or education may testify in the form of an opinion or otherwise if:
a. the expert’s scientific, technical, or other specialized knowledge will help the trier of fact to understand the evidence or to determine a fact in issue;
b. the testimony is based on sufficient facts or data;
c. the testimony is the product of reliable principles and methods; and
d. the expert has reliably applied the principles and methods to the facts of the case.
This definition is very helpful. Regardless of your credentials, did you base your conclusions on sufficient facts and data? Did you apply reliable scientific principles and methods in forming your conclusions? These questions should guide your forensic work.
During a deposition, the opposing counsel has a few goals. The first goal is to find out as much as possible about your position, methods, conclusions, and even your side’s legal strategy. It is important to answer honestly but as briefly as possible. Don’t volunteer information unasked. That simply allows the other side to be better prepared for trial. The second thing a lawyer is looking for during a deposition is to get you to commit to a position you may not be able to defend later. So follow a few rules:
1
If you don’t fully understand the question, say so. Ask for clarification before you answer.
If you really don’t know, say so. Do not ever guess.
If you are not 100 percent certain of an answer, say so. Say “to the best of my current recollection” or something to that effect.
The other way you may testify is at trial. The first thing you absolutely must understand is that the first time you testify, you will be nervous. You’ll begin to wonder if you are properly prepared. Are your conclusions correct? Did you miss anything? Don’t worry; each time you do this, it gets easier. Next, remember that the opposing counsel, by definition, disagrees with you and wants to trip you up. It might be helpful to remind yourself, “The opposing counsel’s default position is that I am both incompetent and a liar.” Now that is a bit harsh, and probably an overstatement, but if you start from that premise you will be prepared for the opposing counsel’s questions. Don’t be too upset if he or she is trying to make you look bad. It is not personal.
The secret to deposition and trial testimony is simple: Be prepared. You should not only make certain your forensic process is done correctly and well documented, including liberal use of charts, diagrams, and other graphics, but also prepare before you testify. Go over your report and your notes again. Often, your attorney will prep you, particularly if you have never testified before. Try to look objectively at your own report to see if there is
anything the opposing counsel might use against you. Are there alternative ways to interpret the evidence? If so, why did you reject them?
The most important things on the stand are to keep calm and tell the truth. Obviously, any lie, even a very minor one that is not directly related to your investigation, would be devastating. But becoming agitated or angry on the stand can also undermine your credibility.
In addition to U.S. Federal Rule 702, there are several other U.S. Federal Rules related to expert witness testimony at trial. They are listed and very briefly described here:
Rule 703, Admissibility of Facts: An expert may base an opinion on facts or data that the expert has been made aware of or personally observed. If experts in the particular field would reasonably rely on those kinds of facts or data in forming an opinion on the subject, they need not be admissible for the opinion to be admitted. But if the facts or data would otherwise be inadmissible, the proponent of the opinion may disclose them to the jury only if their probative value in helping the jury evaluate the opinion substantially outweighs their prejudicial effect.
Rule 704, Opinion on Ultimate Issue: An opinion is not objectionable just because it embraces an ultimate issue. In other words, an expert witness can, in many cases, offer an opinion as to the ultimate issue in a case.
Rule 705, Disclosing Underlying Facts for Opinion: Unless the court orders otherwise, an expert may state an opinion—and give the reasons for it—without first testifying to the underlying facts or data. But the expert may be required to disclose those facts or data on cross- examination. Essentially, the expert can state his or her opinion without first giving the underlying facts, but should expect to be questioned on those facts at some point.
Rule 706, Court-Appointed Expert: This rule covers the appointment of a neutral expert to advise the court. Such experts are not working for the plaintiff or the defendant, but rather for the court.
Rule 401, Relevance of Evidence: Evidence is relevant if: (a) it has any tendency to make a fact more or less probable than it would be without the evidence; and (b) the fact is of consequence in determining the action.
Understanding the Field of Digital Forensics
The field of digital forensics is changing very rapidly. First and foremost, standards are emerging. This means there are clearly defined ways of properly doing forensics. When computer forensics first began, most investigations were conducted according to the whim of the investigator rather than through a standardized methodology. But as the field has matured, it has also standardized. Today, there are clear, codified methods for conducting a forensic examination.
Another change is in who is doing forensics. At one time, all forensics, including computer forensics, was the exclusive domain of law enforcement. That is no longer the case. Today, the following entities are also involved in and actively using computer forensics:
The military: The military uses digital forensics to gather intelligence information from computers captured during military actions.
Government agencies: Government agencies use digital forensics to investigate crimes involving computers. These agencies include the FBI, U.S. Postal Inspection Service, Federal Trade Commission, U.S. Food and Drug Administration, and U.S. Secret Service. They also include the U.S. Department of Justice’s National Institute of Justice (NIJ), the National
Institute of Standards and Technology (NIST), the Office of Law Enforcement Standards (OLES), the Department of Homeland Security, and foreign government agencies, among others.