Loading...

Messages

Proposals

Stuck in your homework and missing deadline? Get urgent help in $10/Page with 24 hours deadline

Get Urgent Writing Help In Your Essays, Assignments, Homeworks, Dissertation, Thesis Or Coursework & Achieve A+ Grades.

Privacy Guaranteed - 100% Plagiarism Free Writing - Free Turnitin Report - Professional And Experienced Writers - 24/7 Online Support

Guide to computer forensics and investigations bill nelson pdf

13/10/2021 Client: muhammad11 Deadline: 2 Day

1.You have just been hired to perform digital investigations and forensics analysis for a company. You find that no policies, processes, or procedures are currently in place. Conduct research to find information, and then create a policy and process document (3 to 4 pages in length) to provide the structure necessary for your lab environment. Be sure to cite your online sources and follow APA formatting.(3,4)

2.Establish a procedure for your organization on how to validate a new forensics software package. Write 3 to 4 pages outlining the procedure you plan to use in your lab. Be sure to cite references, such as the ISO standard or NIST, to support your procedure. Make sure you use APA formatting.(chapter 5,6)

3.As part of the duties of a digital forensics examiner, creating an investigation plan is a standard practice. Write a 3 to 4 (not including title or reference page) page paper that describes how you would organize an investigation for a potential fraud case. In addition, list methods you plan to use to validate the data collected from drives and files such as Word and Excel, with hashes. Specify the hash algorithm you plan to use, such as MD5 or SHA1. Make sure you follow the grading rubric and write your paper in APA format.(chapter 9,10)

4. A mother calls you to report that her 15-year-old daughter has run away from home. She has access to her daughter's e-mail account and says her daughter has a number of emails in her inbox suggesting she has run away to be with a 35-year-old woman. Write a 2 to 3 page paper/report (not including title or reference page) explaining how you should proceed. Make sure you adhere to the grading rubric and write the report in APA format.(chapter 11,12)

· 3-4 pages in length (excluding cover page, abstract, and reference list)

· APA format, Use the APA template located in the Student Resource Center to complete the assignment.

· Please use the Case Study Guide as a reference point for writing your case study.

Refere text book :

Guide to Computer Forensics and Investigations: Processing Digital Evidence

Fifth Edition

Bill Nelson Amelia Phillips Christopher Steuart

Australia • Brazil • Mexico • Singapore • United Kingdom • United States

Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

This is an electronic version of the print textbook. Due to electronic rights restrictions, some third party content may be suppressed. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. The publisher reserves the right to remove content from this title at any time if subsequent rights restrictions require it. For valuable information on pricing, previous editions, changes to current editions, and alternate formats, please visit www.cengage.com/highered to search by ISBN#, author, title, or keyword for materials in your areas of interest.

Important Notice: Media content referenced within the product description or the product text may not be available in the eBook version.

Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Product Director: Kathleen McMahon

Senior Director of Development: Marah Bellegarde

Product Team Manager: Kristin McNary

Product Development Manager: Leigh Hefferon

Senior Content Developer: Julia McGuirk

Developmental Editor: Lisa M. Lord

Product Assistant: Scott Finger

Marketing Director: Michele McTighe

Marketing Manager: Eric La Scola

Marketing Coordinator: Will Guiliani

Production Director: Patty Stephan

Senior Content Project Manager: Brooke Greenhouse

Managing Art Director: Jack Pendleton

Cover photo or illustration: ª Mega Pixel/ Shutterstock

Manufacturing Planner: Ron Montgomery

Compositor: Cenveo Publisher Services

Quality Assurance Tester: Serge Palladino

ª 2016 Cengage Learning

ALL RIGHTS RESERVED. No part of this work covered by the copyright herein may be reproduced, transmitted, stored or used in any form or by any means graphic, electronic, or mechanical, including but not limited to photocopying, recording, scanning, digitizing, taping, Web distribution, information networks, or information storage and retrieval systems, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the publisher.

For product information and technology assistance, contact us at Cengage Learning Customer & Sales Support, 1-888-354-9706

For permission to use material from this text or product, submit all requests online at cengage.com/permissions Further permissions questions can be emailed to

permissionrequest@cengage.com

Library of Congress Control Number: 2014958600

ISBN: 978-1-285-06003-3

Cengage Learning 20 Channel Center Street Boston, MA 02210

Cengage Learning is a leading provider of customized learning solutions with office locations around the globe, including Singapore, the United Kingdom, Australia, Mexico, Brazil, and Japan. Locate your local office at: www.cengage.com/global

Cengage Learning products are represented in Canada by Nelson Education, Ltd.

To learn more about Cengage Learning, visit www.cengage.com

Purchase any of our products at your local college store or at our preferred online store www.cengagebrain.com.

Guide to Computer Forensics and Investigations: Processing Digital Evidence, Fifth Edition

Bill Nelson, Amelia Phillips, Christopher Steuart

Publisher does not warrant or guarantee any of the products described herein or perform any independent analysis in connection with any of the product information contained herein. Publisher does not assume, and expressly disclaims, any obligation to obtain and include information other than that provided to it by the manufacturer. The reader is expressly warned to consider and adopt all safety precautions that might be indicated by the activities described herein and to avoid all potential hazards. By following the instructions contained herein, the reader willingly assumes all risks in connection with such instructions. The publisher makes no representations or warranties of any kind, including but not limited to, the warranties of fitness for particular purpose or merchantability, nor are any such representations implied with respect to the material set forth herein, and the publisher takes no responsibility with respect to such material. The publisher shall not be liable for any special, consequential, or exemplary damages resulting, in whole or part, from the readers’ use of, or reliance upon, this material.

Printed in the United States of America

Print Number: 01 Print Year: 2015

WCN: 02-200-203

Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Brief Table of ContentsBrief Table of Contents

PREFACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

CHAPTER 1 Understanding the Digital Forensics Profession and Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

CHAPTER 2 The Investigator’s Office and Laboratory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

CHAPTER 3 Data Acquisition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

CHAPTER 4 Processing Crime and Incident Scenes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

CHAPTER 5 Working with Windows and CLI Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

CHAPTER 6 Current Digital Forensics Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

CHAPTER 7 Linux and Macintosh File Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

CHAPTER 8 Recovering Graphics Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

CHAPTER 9 Digital Forensics Analysis and Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

CHAPTER 10 Virtual Machine Forensics, Live Acquisitions, and Network Forensics. . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

CHAPTER 11 E-mail and Social Media Investigations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423

CHAPTER 12 Mobile Device Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457

CHAPTER 13 Cloud Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481

CHAPTER 14 Report Writing for High-Tech Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511

CHAPTER 15 Expert Testimony in Digital Investigations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535

CHAPTER 16 Ethics for the Expert Witness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567

APPENDIX A Certification Test References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599

APPENDIX B Digital Forensics References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603

iii Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

APPENDIX C Digital Forensics Lab Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609

APPENDIX D DOS File System and Forensics Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615

GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623

INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633

iv Brief Table of Contents

Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Table of ContentsTable of Contents

PREFACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

CHAPTER 1 Understanding the Digital Forensics Profession and Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

An Overview of Digital Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Digital Forensics and Other Related Disciplines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 A Brief History of Digital Forensics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Understanding Case Law. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Developing Digital Forensics Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Preparing for Digital Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Understanding Law Enforcement Agency Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Following Legal Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Understanding Private-Sector Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Maintaining Professional Conduct . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Preparing a Digital Forensics Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 An Overview of a Computer Crime. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 An Overview of a Company Policy Violation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Taking a Systematic Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Procedures for Private-Sector High-Tech Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Employee Termination Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Internet Abuse Investigations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 E-mail Abuse Investigations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Attorney-Client Privilege Investigations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Industrial Espionage Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Interviews and Interrogations in High-Tech Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Understanding Data Recovery Workstations and Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Setting Up Your Workstation for Digital Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Conducting an Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Gathering the Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Understanding Bit-stream Copies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Acquiring an Image of Evidence Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Using ProDiscover Basic to Acquire a USB Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Analyzing Your Digital Evidence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Completing the Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Critiquing the Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

CHAPTER 2 The Investigator’s Office and Laboratory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Understanding Forensics Lab Accreditation Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Identifying Duties of the Lab Manager and Staff. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Lab Budget Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Acquiring Certification and Training. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

v Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Determining the Physical Requirements for a Digital Forensics Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Identifying Lab Security Needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Conducting High-Risk Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Using Evidence Containers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Overseeing Facility Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Considering Physical Security Needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Auditing a Digital Forensics Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Determining Floor Plans for Digital Forensics Labs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Selecting a Basic Forensic Workstation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Selecting Workstations for a Lab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Selecting Workstations for Private and Corporate Labs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Stocking Hardware Peripherals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Maintaining Operating Systems and Software Inventories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Using a Disaster Recovery Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Planning for Equipment Upgrades. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Building a Business Case for Developing a Forensics Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Preparing a Business Case for a Digital Forensics Lab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

CHAPTER 3 Data Acquisition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Understanding Storage Formats for Digital Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Raw Format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Proprietary Formats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Advanced Forensic Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Determining the Best Acquisition Method. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Contingency Planning for Image Acquisitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Using Acquisition Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Mini-WinFE Boot CDs and USB Drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Acquiring Data with a Linux Boot CD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Capturing an Image with ProDiscover Basic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Capturing an Image with AccessData FTK Imager Lite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Validating Data Acquisitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Linux Validation Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Windows Validation Methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Performing RAID Data Acquisitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Understanding RAID. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Acquiring RAID Disks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Using Remote Network Acquisition Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 Remote Acquisition with ProDiscover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 Remote Acquisition with EnCase Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Remote Acquisition with R-Tools R-Studio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Remote Acquisition with WetStone US-LATT PRO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Remote Acquisition with F-Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Using Other Forensics Acquisition Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 PassMark Software ImageUSB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 ASRData SMART . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

vi Table of Contents

Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Runtime Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 ILookIX Investigator IXimager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 SourceForge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

CHAPTER 4 Processing Crime and Incident Scenes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Identifying Digital Evidence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Understanding Rules of Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Collecting Evidence in Private-Sector Incident Scenes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Processing Law Enforcement Crime Scenes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Understanding Concepts and Terms Used in Warrants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Preparing for a Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Identifying the Nature of the Case. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Identifying the Type of OS or Digital Device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 Determining Whether You Can Seize Computers and Digital Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 Getting a Detailed Description of the Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 Determining Who Is in Charge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Using Additional Technical Expertise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Determining the Tools You Need . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Preparing the Investigation Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Securing a Computer Incident or Crime Scene. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Seizing Digital Evidence at the Scene . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Preparing to Acquire Digital Evidence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Processing an Incident or a Crime Scene . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Processing Data Centers with RAID Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Using a Technical Advisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Documenting Evidence in the Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Processing and Handling Digital Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Storing Digital Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Evidence Retention and Media Storage Needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Documenting Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Obtaining a Digital Hash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Reviewing a Case. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Sample Civil Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Sample Criminal Investigation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Reviewing Background Information for a Case. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 Planning the Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 Conducting the Investigation: Acquiring Evidence with OSForensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Table of Contents vii

Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

CHAPTER 5 Working with Windows and CLI Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Understanding File Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Understanding the Boot Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Understanding Disk Drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Solid-State Storage Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Exploring Microsoft File Structures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Disk Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Examining FAT Disks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Examining NTFS Disks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 NTFS System Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 MFT and File Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 MFT Structures for File Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 NTFS Alternate Data Streams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 NTFS Compressed Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 NTFS Encrypting File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 EFS Recovery Key Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 Deleting NTFS Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Resilient File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

Understanding Whole Disk Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 Examining Microsoft BitLocker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Examining Third-Party Disk Encryption Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

Understanding the Windows Registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 Exploring the Organization of the Windows Registry. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Examining the Windows Registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

Understanding Microsoft Startup Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Startup in Windows 7 and Windows 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Startup in Windows NT and Later . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

Understanding Virtual Machines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 Creating a Virtual Machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

CHAPTER 6 Current Digital Forensics Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

Evaluating Digital Forensics Tool Needs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 Types of Digital Forensics Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 Tasks Performed by Digital Forensics Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 Tool Comparisons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 Other Considerations for Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

Digital Forensics Software Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 Command-Line Forensics Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 Linux Forensics Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 Other GUI Forensics Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

Digital Forensics Hardware Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Forensic Workstations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Using a Write-Blocker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 Recommendations for a Forensic Workstation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

viii Table of Contents

Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Validating and Testing Forensics Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Using National Institute of Standards and Technology Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Using Validation Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276

Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282

CHAPTER 7 Linux and Macintosh File Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

Examining Linux File Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286 File Structures in Ext4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

Understanding Macintosh File Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298 An Overview of Mac File Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 Forensics Procedures in Mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

Using Linux Forensics Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303 Installing Sleuth Kit and Autopsy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

CHAPTER 8 Recovering Graphics Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

Recognizing a Graphics File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 Understanding Bitmap and Raster Images. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 Understanding Vector Graphics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319 Understanding Metafile Graphics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319 Understanding Graphics File Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319 Understanding Digital Camera File Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320

Understanding Data Compression. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324 Lossless and Lossy Compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

Locating and Recovering Graphics Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325 Identifying Graphics File Fragments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326 Repairing Damaged Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326 Searching for and Carving Data from Unallocated Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 Rebuilding File Headers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334 Reconstructing File Fragments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

Identifying Unknown File Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 Analyzing Graphics File Headers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 Tools for Viewing Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344 Understanding Steganography in Graphics Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344 Using Steganalysis Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

Understanding Copyright Issues with Graphics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349

Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

Table of Contents ix

Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

CHAPTER 9 Digital Forensics Analysis and Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

Determining What Data to Collect and Analyze . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360 Approaching Digital Forensics Cases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360 Using OSForensics to Analyze Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362

Validating Forensic Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366 Validating with Hexadecimal Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367 Validating with Digital Forensics Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

Addressing Data-Hiding Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372 Hiding Files by Using the OS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372 Hiding Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372 Marking Bad Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374 Bit-Shifting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374 Understanding Steganalysis Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377 Examining Encrypted Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378 Recovering Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379

Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386

CHAPTER 10 Virtual Machine Forensics, Live Acquisitions, and Network Forensics. . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

An Overview of Virtual Machine Forensics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 Type 2 Hypervisors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 Conducting an Investigation with Type 2 Hypervisors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396 Working with Type 1 Hypervisors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405

Performing Live Acquisitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406 Performing a Live Acquisition in Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

Network Forensics Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 The Need for Established Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 Securing a Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 Developing Procedures for Network Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 Examining the Honeynet Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419

Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422

CHAPTER 11 E-mail and Social Media Investigations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423

Exploring the Role of E-mail in Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424

Exploring the Roles of the Client and Server in E-mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425

Investigating E-mail Crimes and Violations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426 Examining E-mail Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427 Viewing E-mail Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428 Examining E-mail Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430 Examining Additional E-mail Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432 Tracing an E-mail Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432 Using Network E-mail Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433

x Table of Contents

Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Understanding E-mail Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434 Examining UNIX E-mail Server Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435 Examining Microsoft E-mail Server Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436

Using Specialized E-mail Forensics Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437 Using OSForensics to Recover E-mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439 Using a Hex Editor to Carve E-mail Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440 Recovering Outlook Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443 E-mail Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444

Applying Digital Forensics to Social Media. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444 Forensics Tools for Social Media Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446

Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448

Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451

Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455

CHAPTER 12 Mobile Device Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457

Understanding Mobile Device Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458 Mobile Phone Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459 Inside Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461

Understanding Acquisition Procedures for Mobile Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463 Mobile Forensics Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465 Mobile Forensics Tools in Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473

Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475

Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477

Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479

CHAPTER 13 Cloud Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481

An Overview of Cloud Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482 History of the Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482 Cloud Service Levels and Deployment Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482 Cloud Vendors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484 Basic Concepts of Cloud Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484

Legal Challenges in Cloud Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485 Service Level Agreements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485 Jurisdiction Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487 Accessing Evidence in the Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487

Technical Challenges in Cloud Forensics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490 Analysis of Cloud Forensic Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490 Anti-Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490 Incident First Responders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490 Role Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491 Standards and Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491

Acquisitions in the Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491 Encryption in the Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492

Table of Contents xi

Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Conducting a Cloud Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493 Investigating CSPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494 Investigating Cloud Customers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494 Understanding Prefetch Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494 Examining Stored Cloud Data on a PC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495 Windows Prefetch Artifacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499

Tools for Cloud Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500 Forensic Open-Stack Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500 F-Response for the Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501

Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503

Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505

Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510

CHAPTER 14 Report Writing for High-Tech Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511

Understanding the Importance of Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512 Limiting a Report to Specifics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513 Types of Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513

Guidelines for Writing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515 What to Include in Written Preliminary Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516 Report Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517 Writing Reports Clearly. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518 Designing the Layout and Presentation of Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519

Generating Report Findings with Forensics Software Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 Using ProDiscover Basic to Generate Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 Using OSForensics to Generate Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528

Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529

Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531

Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534

CHAPTER 15 Expert Testimony in Digital Investigations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535

Preparing for Testimony . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536 Documenting and Preparing Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537 Reviewing Your Role as a Consulting Expert or an Expert Witness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538 Creating and Maintaining Your CV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538 Preparing Technical Definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539 Preparing to Deal with the News Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539

Testifying in Court . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540 Understanding the Trial Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540 Providing Qualifications for Your Testimony . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541 General Guidelines on Testifying. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542 Testifying During Direct Examination. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546 Testifying During Cross-Examination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547

Preparing for a Deposition or Hearing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549 Guidelines for Testifying at Depositions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549 Guidelines for Testifying at Hearings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551

xii Table of Contents

Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Preparing Forensics Evidence for Testimony . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551 Preparing a Defense of Your Evidence-Collection Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555

Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556

Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559

Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565

CHAPTER 16 Ethics for the Expert Witness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567

Applying Ethics and Codes to Expert Witnesses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568 Forensics Examiners’ Roles in Testifying. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569 Considerations in Disqualification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570 Traps for Unwary Experts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571 Determining Admissibility of Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572

Organizations with Codes of Ethics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573 International Society of Forensic Computer Examiners. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573 International High Technology Crime Investigation Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574 International Association of Computer Investigative Specialists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574 American Bar Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574 American Psychological Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575

Ethical Difficulties in Expert Testimony . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575 Ethical Responsibilities Owed to You . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576 Standard and Personally Created Forensics Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577

An Ethics Exercise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577 Determining Hexadecimal Values for Text Strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578 Searching for Unicode Data in ProDiscover Basic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578 Interpreting Attribute 0x80 Data Runs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580 Carving Data Run Clusters Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593

Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594

Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596

Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598

APPENDIX A Certification Test References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599

APPENDIX B Digital Forensics References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603

APPENDIX C Digital Forensics Lab Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609

APPENDIX D DOS File System and Forensics Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615

GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623

INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633

Table of Contents xiii

Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

PrefacePreface

Guide to Computer Forensics and Investigations: Processing Digital Evidence is now in its fifth edi- tion! My sincere congratulations to the authors and publishing staff who have made this book such a great resource for thousands of students and practitioners worldwide. As digital technology and cyberspace have evolved from their early roots as basic communications platforma, so has the demand for people who have the knowledge and skills to investigate legal and technical issues involv- ing computers and digital technology.

Today, computers, the Internet, and the world’s digital ecosystem are instrumental in how we conduct our daily lives. The technological advancement of these systems over the past 10 years has changed the way we learn, socialize, and conduct business. Many of us working computer forensic cases in the secu- rity and criminal justice sectors during the late 1990s came to the conclusion that technology’s rate of growth was going to have a significant impact on our operations. Currently, the organizations and agencies whose job it is to investigate both criminal and civil matters involving the use of rapidly evolv- ing digital technology often struggle to keep up with the ever-changing digital landscape. Additionally, finding trained and qualified people to conduct these types of inquiries has been challenging as well.

In 1998, while creating an instructional program for law enforcement officers, I predicted that by the year 2005, approximately 85% of all crimes committed in the United States would have some type of digital component related to the crime. That prediction has now come true with an entire industry evolving for the purpose of investigating events occurring in cyberspace, including incidents involving international and corporate espionage, massive data breaches, and even cyberterrorism. Professionals

xv Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

in this exciting field of endeavor are now in wide demand and are expected to have multiple skill sets in areas such as malware analysis, software reverse-engineering, and mobile device forensics.

The study of computer forensics, which has subsequently morphed into the discipline digital forensics, has become one of the hottest and in-demand career choices for many high school and college stu- dents worldwide. Guide to Computer Forensics and Investigations: Processing Digital Evidence can now be found in both academic and professional environments as a reliable source of current techni- cal information and practical exercises on investigations involving the latest digital technology. It’s my belief that this book, combined with an enthusiastic and knowledgeable facilitator, will make for a fascinating course of instruction.

As I have stated to many of my students, it’s not just desktop computers that harbor the binary code of 1s and 0s, but an infinite array of digital devices. If one of these devices retains evidence of a crime, it will be up to newly trained and educated digital detectives to find the evidence in a forensically sound manner. This book will assist both students and practitioners in accomplishing this goal.

Respectfully,

John A. Sgromolo

As a Senior Special Agent, John was one of the founding members of the NCIS Computer Crime Inves- tigations Group. John left government service to run his own company, Digital Forensics, Inc., and has taught hundreds of law enforcement and corporate students nationwide the art and science of digital forensic investigations. Currently, John serves as a Senior Investigator for Verizon’s RISK Team.

xvi Preface

Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

IntroductionIntroduction

Computer forensics, now most commonly called “digital forensics,” has been a professional field for many years, but most well-established experts in the field have been self-taught. The growth of the Internet and the worldwide proliferation of computers have increased the need for digital investigations. Computers can be used to commit crimes, and crimes can be recorded on computers, including company policy violations, embezzlement, e-mail harassment, murder, leaks of proprietary information, and even terrorism. Law enforcement, network administrators, attorneys, and private investigators now rely on the skills of professional digital forensics experts to investigate criminal and civil cases.

This book is not intended to provide comprehensive training in digital forensics. It does, however, give you a solid foundation by introducing digital forensics to those who are new to the field. Other books on digital forensics are targeted to experts; this book is intended for novices who have a thorough grounding in computer and networking basics.

The new generation of digital forensics experts needs more initial training because operating systems, computer and mobile device hardware, and forensics software tools are changing more quickly. This book covers current and past operating systems and a range of hardware, from basic workstations and high-end network servers to a wide array of mobile devices. Although this book focuses on a few forensics software tools, it also reviews and discusses other currently available tools.

The purpose of this book is to guide you toward becoming a skilled digital forensics investigator. A secondary goal is to help you pass related certification exams. As the field of digital forensics and investigations matures, keep in mind that certifications will change. You can find more information on certifications in Chapter 2 and Appendix A.

xvii Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Intended Audience Although this book can be used by people with a wide range of backgrounds, it’s intended for those with A1 and Network1 certifications or the equivalent. A networking background is necessary so that you understand how computers operate in a networked environment and can work with a network administrator when needed. In addition, you must know how to use a computer from the command line and how to use common operating systems, including Windows, Linux, and Mac OS, and their related hardware.

This book can be used at any educational level, from technical high schools and community colleges to graduate students. Current professionals in the public and private sectors can also use this book. Each group will approach investigative problems from a different perspective, but all will benefit from the coverage.

What’s New in This Edition The chapter flow of this book is organized so that you’re first exposed to what happens in a forensics lab and how to set one up before you get into the nuts and bolts. Coverage of several GUI tools has been added to give you a familiarity with some widely used software. In addition, Chapter 11 now includes coverage of social media forensics, and Chapter 13 is a new chapter on forensics procedures for information stored in the cloud. Chapter 12 has also expanded to include more information on smartphones and tablets. Corrections have been made to this edition based on feedback from users, and all software packages and Web sites have been updated to reflect what’s current at the time of publication. Finally, a new lab manual is now offered to go with the new fifth edition textbook (ISBN: 9781285079080).

Chapter Descriptions Here is a summary of the topics covered in each chapter of this book:

Chapter 1, “Understanding the Digital Forensics Profession and Investigations,” introduces you to the history of digital forensics and explains how the use of electronic evidence developed. It also reviews legal issues and compares public and private sector cases. This chapter also explains how to take a systematic approach to preparing a digital investigation, describes how to conduct an investigation, and summarizes requirements for workstations and software.

Chapter 2, “The Investigator’s Office and Laboratory,” outlines physical requirements and equipment for digital forensics labs, from small private investigators’ labs to the regional FBI lab. It also covers certifications for digital investigators and building a business case for a forensics lab.

Chapter 3, “Data Acquisition,” explains how to prepare to acquire data from a suspect’s drive and discusses available Linux and GUI acquisition tools. This chapter also discusses acquiring data from RAID systems and gives you an overview of tools for remote acquisitions.

Chapter 4, “Processing Crime and Incident Scenes,” explains search warrants and the nature of a typical digital forensics case. It discusses when to use outside professionals, how to assemble a team, and how to evaluate a case and explains the correct procedures for searching and seizing evi- dence. This chapter also introduces you to calculating hashes to verify data you collect.

Chapter 5, “Working with Windows and CLI Systems,” discusses the most common operating systems. You learn what happens and what files are altered during computer startup and how file systems deal with deleted and slack space. In addition, this chapter covers some options for decrypt- ing drives encrypted with whole disk encryption and explains the purpose of using virtual machines.

xviii Introduction

Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Chapter 6, “Current Digital Forensics Tools,” explores current digital forensics software and hard- ware tools, including those that might not be readily available, and evaluates their strengths and weaknesses.

Chapter 7, “Linux and Macintosh File Systems,” continues the operating system discussion from Chapter 5 by examining Macintosh and Linux OSs and file systems. It also gives you practice in using Linux forensics tools.

Chapter 8, “Recovering Graphics Files,” explains how to recover graphics files and examines data compression, carving data, reconstructing file fragments, and steganography and copyright issues.

Chapter 9, “Digital Forensics Analysis and Validation,” covers determining what data to collect and analyze and refining investigation plans. It also explains validation with hex editors and forensics software and data-hiding techniques.

Chapter 10, “Virtual Machine Forensics, Live Acquisitions, and Network Forensics,” covers tools and methods for conducting forensic analysis of virtual machines, performing live acquisitions, reviewing network logs for evidence, and using network-monitoring tools to detect unauthorized access. It also examines using Linux tools and the Honeynet Project’s resources.

Chapter 11, “E-mail and Social Media Investigations,” examines e-mail crimes and violations and reviews some specialized e-mail and social media forensics tools. It also explains how to approach investigating social media communications and handling the challenges this content poses.

Chapter 12, “Mobile Device Forensics,” covers investigation techniques and acquisition procedures for smartphones and other mobile devices. You learn where data might be stored or backed up and what tools are available for these investigations.

Chapter 13, “Cloud Forensics,” summarizes the legal and technical challenges in conducting cloud forensics. It also describes how to acquire cloud data and explains how remote acquisition tools can be used in cloud investigations.

Chapter 14, “Report Writing for High-Tech Investigations,” discusses the importance of report writing in digital forensics examinations; offers guidelines on report content, structure, and presen- tation; and explains how to generate report findings with forensics software tools.

Chapter 15, “Expert Testimony in Digital Investigations,” explores the role of an expert witness or a fact witness, including developing a curriculum vitae, understanding the trial process, and prepar- ing forensics evidence for testimony. It also offers guidelines for testifying in court and at deposi- tions and hearings.

Chapter 16, “Ethics for the Expert Witness,” provides guidance in the principles and practice of ethics for digital forensics investigators and examines other professional organizations’ codes of ethics.

Appendix A, “Certification Test References,” provides information on the National Institute of Standards and Technology (NIST) testing processes for validating digital forensics tools and covers digital forensics certifications and training programs.

Appendix B, “Digital Forensics References,” lists recommended books, journals, e-mail lists, and Web sites for additional information and further study. It also covers the latest ISO 27000 stand- ards that apply to digital forensics.

Introduction xix

Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Appendix C, “Digital Forensics Lab Considerations,” provides more information on considera- tions for forensics labs, including certifications, ergonomics, structural design, and communication and fire-suppression systems.

Appendix D, “DOS File System and Forensics Tools,” reviews FAT file system basics and Mac leg- acy file systems and explains using DOS forensics tools, creating forensic boot media, and using scripts. It also reviews DriveSpy commands and X-Ways Replica and gives you an overview of the hexadecimal numbering system and how it’s applied to digital information.

Features To help you fully understand digital forensics, this book includes many features designed to enhance your learning experience:

• Chapter objectives—Each chapter begins with a detailed list of the concepts to be mastered in that chapter. This list gives you a quick reference to the chapter’s contents and is a useful study aid.

• Figures and tables—Screenshots are used as guidelines for stepping through commands and forensics tools. For tools not included with the book or that aren’t offered in free demo ver- sions, figures have been added when possible to illustrate the tool’s interface. Tables are used throughout the book to present information in an organized, easy-to-grasp manner.

• Chapter summaries—Each chapter’s material is followed by a summary of the concepts intro- duced in that chapter. These summaries are a helpful way to review the ideas covered in each chapter.

• Key terms—Following the chapter summary, all new terms introduced in the chapter with boldfaced text are gathered together in the Key Terms list, with full definitions for each term. This list encourages a more thorough understanding of the chapter’s key concepts and is a useful reference.

• Review questions—The end-of-chapter assessment begins with a set of review questions that reinforce the main concepts in each chapter. These questions help you evaluate and apply the material you have learned.

• Hands-on projects—Although understanding the theory behind digital technology is important, nothing can improve on real-world experience. To this end, each chapter offers several hands-on projects with software supplied with this book or free downloads. You can explore a variety of ways to acquire and even hide evidence. For the conceptual chapters, research projects are provided.

• Case projects—At the end of each chapter are several case projects. To complete these projects, you must draw on real-world common sense as well as your knowledge of the technical topics covered to that point in the book. Your goal for each project is to come up with answers to problems similar to those you’ll face as a working digital forensics investigator.

• Video tutorials—The Instructor Companion Site includes video tutorials to help with learning the tools needed to perform in-chapter activities and hands-on projects. Each tutorial is a .wmv file that can be played in most OSs.

• Software and student data files—This book includes a DVD containing student data files and free software demo packages for use with activities and projects in the chapters. (Additional software demos or freeware can be downloaded to use in some projects.) Three software com- panies have graciously agreed to allow including their products with this book: Technology

xx Introduction

Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Pathways (ProDiscover Basic), PassMark Software (OSForensics), and X-Ways (WinHex Demo). To check for newer versions or additional information, visit Technology Pathways, LLC at www.arcgroupny.com/products/, PassMark Software at www.osforensics.com, and X-Ways Software Technology AG at www.x-ways.net.

Technology Pathways recently changed its name to the ARC Group.

Text and Graphic Conventions When appropriate, additional information and exercises have been added to this book to help you better understand the topic at hand. The following icons used in this book alert you to additional materials:

The Note icon draws your attention to additional helpful material related to the subject being covered.

Tips based on the authors’ experience offer extra information about how to attack a problem or what to do in real-world situations.

The Caution icon warns you about potential mistakes or problems and explains how to avoid them.

Each hands-on project in this book is preceded by the Hands- On icon and a description of the exercise that follows.

This icon marks case projects, which are scenario-based or research assignments. In these extensive case examples, you’re asked to apply independently what you have learned.

Instructor’s Resources The following additional materials are available when this book is used in a classroom setting. All the supplements available with this book are provided to instructors for download at our Instructor Companion Site. Simply search for this text at login.cengage.com.

• Electronic Instructor’s Manual—The Instructor’s Manual that accompanies this book includes additional instructional material to assist in class preparation, including suggestions for lecture topics, recommended lab activities, tips on setting up a lab for hands-on projects, and solutions to all end-of-chapter materials.

Introduction xxi

Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

• Cognero�—Cengage Learning Testing Powered by Cognero is a flexible, online system that allows you to author, edit, and manage test bank content from multiple Cengage Learning solu- tions; create multiple test versions in an instant; and deliver tests from your LMS, your class- room, or wherever you want.

• PowerPoint presentations—This book comes with a set of Microsoft PowerPoint slides for each chapter. These slides are meant to be used as a teaching aid for classroom presentations, to be made available to students on the network for chapter review, or to be printed for classroom distribution. Instructors are also at liberty to add their own slides for other topics introduced.

• Figure files—All the figures in the book are reproduced on the Instructor Companion Site. Simi- lar to the PowerPoint presentations, they’re included as a teaching aid for classroom presenta- tion, to make available to students for review, or to be printed for classroom distribution.

Student Resources Lab Manual for Guide to Computer Forensics and Investigations (ISBN: 1285079086), a companion to Guide to Computer Forensics and Investigations, Fifth Edition, provides students with additional hands-on experience.

Lab Requirements The hands-on projects in this book help you apply what you have learned about digital forensics techniques. The following sections list the minimum requirements for completing all the projects in this book. In addition to the items listed, you must be able to download and install demo versions of software.

In Chapter 12, you use a demo version of Oxygen Forensics to search for e-mails. This software requires getting a registration code to download and install it, and you must e-mail the vendor ahead of time to get this code. Make sure you allow at least a few days to get this software ready before you start Chapter 12.

Minimum Lab Requirements • Lab computers that boot to Windows 7, 8, or 8.1

• An external USB, FireWire, or SATA drive larger than a typical 512 MB USB drive

The projects in this book are designed with the following hardware and software requirements in mind. The lab in which most of the work takes place should be a typical network training lab with a variety of operating systems and computers available.

Operating Systems and Hardware

Windows 7, 8, or 8.1 Use a standard installation of Windows. The computer running Windows should be a fairly current model that meets the following minimum requirements:

• USB ports

• CD-ROM/DVD-ROM drive

• VGA or higher monitor

xxii Introduction

Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

• Hard disk partition of 100 GB or more

• Mouse or other pointing device

• Keyboard

• At least 6 GB RAM (more is recommended)

Linux For this book, it’s assumed you’re using an Ubuntu standard installation, although other Linux distributions will work with minor modifications. Also, some projects use specialized “live” Linux distributions, such as Kali Linux.

• Hard disk partition of 6 GB or more reserved for Linux

• Other hardware requirements are the same as those listed for Windows computers

This book contains a DVD with data files, demo software, and video tutorials. Some older computers and DVD drives might have difficulty reading data from this DVD. If you have any problems, make sure you copy the data to an external USB or FireWire drive before transferring it to your computer.

Digital Forensics Software Three digital forensics programs, listed previously under “Features,” are supplied with this book. In addition, there are projects using the following software, most of which can be downloaded from the Internet as freeware, shareware, or demo versions:

Because Web site addresses change frequently, use a search engine to find the following software online if URLs are no longer valid. Efforts have been made to provide information that’s current at the time of writing, but things change constantly on the Web. Learning how to use search tools to find what you need is a valuable skill you’ll use as a digital forensics investigator.

• DEFT: Download from www.deftlinux.net. This virtual appliance currently works only with Ubuntu 12.04.

• Device Seizure: Download from www.paraben.com.

• Facebook Forensics: Download from www.facebookforensics.com.

• HexWorkshop: Download from Breakpoint Software at www.hexworkshop.com.

• IrfanView: Download from www.irfanview.com.

• Kali Linux: Download the ISO image from www.kali.org.

• OpenOffice (includes OpenCalc): Download from www.openoffice.org.

• Oxygen Forensics: Register at www.oxygen-forensic.com/en/ to get a code for downloading. You must use a business e-mail address or one ending in .edu. Oxygen doesn’t respond to free Web-based e-mail addresses, such as Yahoo! or Gmail.

• PsTools: Download from http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx.

Introduction xxiii

Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

• SecureClean: Download from www.whitecanyon.com/ConsumerSecureClean.

• SIMManager: Download from www.dekart.com/products/card_management/sim_manager.

• Sleuth Kit 2.08 and Autopsy Browser 2.07 for Linux and Autopsy Browser 3.1 for Windows: Download from www.sleuthkit.org.

• S-Tools4: Download from http://packetstormsecurity.com/files/21688/s-tools4.zip.html or www.4shared.com/zip/q764vcPu/s-tools4.htm.

• VirtualBox: Download from www.virtualbox.org/wiki/Downloads.

• Wireshark: Download from www.wireshark.org.

In addition, you use Microsoft Office Word (or other word processing software) and Excel (or other spreadsheet software) as well as a Web browser.

About the Authors Bill Nelson has worked for more than 30 years for two global Fortune 100 companies in information technologies, with more than 18 years in corporate digital forensics and information security. In addition, he has been an instructor of digital forensics classes at the City University of Seattle and the University of Washington’s Professional and Continuing Education Department for 10 years. His previous experience includes Automated Fingerprint Identification System (AFIS) software engineering and reserve police work. Bill has served as president and vice president for Computer Technology Investigators Northwest (CTIN) and is a member of Computer Related Information Management and Education (CRIME). He routinely lectures at several colleges and universities in the Pacific Northwest.

Amelia Phillips is a graduate of the Massachusetts Institute of Technology with B.S. degrees in astronautical engineering and archaeology and an MBA in technology management. She also holds an interdisciplinary Ph.D. in computer security from the University of Alaska, Fairbanks. After serving as an engineer at the Jet Propulsion Lab, she worked with e-commerce Web sites and began her training in computer forensics to prevent credit card numbers from being stolen from sensitive e-commerce databases. She designed certificate and AAS programs for community colleges in e-commerce, network security, computer forensics, and data recovery. She recently designed the Bachelor of Applied Science in cybersecurity and forensics, which was approved in 2014. She is currently tenured at Highline College in Seattle, Washington. Amelia is a Fulbright Scholar who taught at Polytechnic of Namibia in 2005 and 2006. She continues her work with developing nations and travels there frequently.

Christopher K. Steuart is a practicing attorney maintaining a general litigation practice, with experience in information systems security for a Fortune 50 company and the U.S. Army. He is also an honorary life member and the former general counsel for Computer Investigators Northwest (CTIN). He has presented computer forensics seminars in regional and national forums, including the American Society for Industrial Security (ASIS), Agora, Northwest Computer Technology Crime Analysis Seminar (NCT), and CTIN. He is currently vice president and general counsel for IT Forensics, Inc.

Acknowledgments The team would like to express its appreciation to Product Manager Nick Lombardi, who has given us a great deal of moral support. We would like to thank the entire editorial and production staff for their dedication and fortitude during this project, including Julia McGuirk, Senior Content Developer, and Brooke Greenhouse, Senior Content Project Manager. Our special thanks go to Lisa

xxiv Introduction

Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Lord, the Developmental Editor. We also appreciate the careful reading and thoughtful suggestions of the Technical Editor, Serge Palladino. We would like to thank the reviewers: Steve Bale, Truckee Meadows Community College; Dawn Blanche, Anne Arundel Community College; Gary Kessler, Embry-Riddle Aeronautical University; and Tenette Prevatte, Fayetteville Technical Community College. We would also like to thank our colleagues in professional groups in Washington State and Mike Lacey for his photos.

Bill Nelson I want to express my appreciation to my wife, Tricia, for her support during the long hours spent writing. I would also like to express appreciation to my coauthors along with our editors and book reviewers for the team effort in producing this book. And special thanks for the support and encouragement from my digital forensics colleagues: Franklin Clark, retired investigator for the Pierce County Prosecutor’s Office, Tacoma, Washington; Detective Mike McNown, retired, Wichita PD; Scott Larson of Larson Security, LLC; Don Allison of KoreLogic; retired detectives Brian Palmer, Barry Walden, and Melissa Rogers of the King County Sheriff’s Office, Seattle, Washington; John Sgromolo of Verizon; Art Ehuan of Alvarez and Marsal; Staff Sergeant Clint Baker of the RCMP; Colin Cree of Forensic Data Recovery, Inc.; Chris Brown of Technology Pathways; Stefan Fleischmann of X-Ways; Gordon Ross, formerly of Net Nanny; and Gordon Mitchell of Future Focus, Inc. In addition, special thanks to colleagues Troy Larson of Microsoft, Brett Shavers, Numo Brito, Colin Ramsden, and other unnamed contributors for the ongoing development of WinFE.

Amelia Phillips My deepest gratitude goes to my coauthor Bill Nelson. I want to reiterate the thanks to Lisa Lord for her patience and support and to all the people who have helped us in the past, including Teresa Mobley, Deb Buser, and Detective Melissa Rogers. Acknowledgments go to my many past and present students who have helped with research on what’s happening in the field of digital forensics. Special thanks go to Jens Kircher at X-Ways, who contributed to the Macintosh and Linux chapter, for his insight into these OSs. Thanks to my friends in Namibia, without whom I would not have such a thorough understanding of the different laws on digital evidence and privacy, and special thanks to Dr. Jack Bermingham, Jeff Wagnitz, Alice Madsen, and Dr. Rolita Ezeonu, who have funded and supported me as I experienced what it means to get a Ph.D., write two textbooks, create a bachelor’s program, and work full time. Thanks go to my friends for their support, and the most special thanks go to my two surviving aunties, who are both great teachers and set an excellent example for me. Without them, this would not be possible.

Christopher K. Steuart I would like to express my appreciation to my wife, Josephine, son, Alexander, and daughter, Isobel, for their enthusiastic support of my commitment to Guide to Computer Forensics and Investigations, even as it consumed time and energy that they deserved. I also want to express my thanks to my parents, William and Mary, for their support of my education and development of the skills needed for this project. I thank my coauthors for inviting me to join them in this project. I would like to express my appreciation to the Boy Scouts of America for providing me with the first of many leadership opportunities in my life. I want to recognize Lieutenant General (then Captain) Edward Soriano for seeing the potential in me as a young soldier and encouraging me in learning the skills required to administer, communicate with, and command an organization within the structure of law, regulation, and personal commitment. I must also thank the faculty of Drake University Law School, particularly Professor James A. Albert, for encouraging me to think and write creatively about the law. I also note the contribution of Diane Gagon and the staff of the Church of Scientology in Seattle, Washington, in supporting my better understanding of commitment to myself and others.

Introduction xxv

Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

chapterchapter11 Understanding the Digital Forensics Profession and Investigations

Understanding the Digital Forensics Profession and Investigations

After reading this chapter and completing the exercises, you will be able to:

• Describe the field of digital forensics

• Explain how to prepare for computer investigations and summarize the difference between public-sector and private-sector investigations

• Explain the importance of maintaining professional conduct

• Describe how to prepare a digital forensics investigation by taking a systematic approach

• Describe procedures for private-sector digital investigations

• Explain requirements for data recovery workstations and software

• Summarize how to conduct an investigation, including critiquing a case

1 Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

In the past several years, the field of computer forensics has developed significantly, including new terminology. This chapter introduces you to computer forensics or, as it’s now typically called, digital forensics and discusses issues of importance in the industry. This book blends traditional investigative methods with classic systems analysis problem-solving techni- ques and applies them to investigations involving computers and other digital media and sys- tems. Understanding these disciplines combined with the use of the forensics tools will make you a skilled digital forensics examiner.

This chapter also gives you an overview of how to manage a computing investigation and use standard problem-solving techniques. You learn about the problems and challenges forensics examiners face when preparing and processing investigations, including the ideas and questions they must consider. To perform the activities and projects in this chapter, you work with foren- sic disk images from small USB drives and then can apply the same techniques to a large disk.

An Overview of Digital Forensics As the world has become more of a level playing field, with more people online who have access to the same information (Thomas L. Freidman, The World Is Flat, Farrar, Straus, and Giroux, 2005), the need to standardize digital forensics processes has become more urgent. The definition of digital forensics has also evolved over the years from simply involving secur- ing and analyzing digital information stored on a computer for use as evidence in civil, crimi- nal, or administrative cases. The former director of the Defense Computer Forensics Laboratory, Ken Zatyko, wrote a treatise on the many specialties including computer foren- sics, network forensics, video forensics, and a host of others. He defined it as “[t]he applica- tion of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence (information of probative value that is stored or transmitted in binary form) after proper search authority, chain of custody, validation with mathematics (hash function), use of validated tools, repeatability, reporting and possible expert pre- sentation” (“Commentary: Defining Digital Forensics,” Forensic Magazine, 2007).

The field of digital forensics can also encompass items such as research and incident response. With incident response, most organizations are concerned with protecting their assets and con- taining the situation, not necessarily prosecuting or finding the person responsible. Research in digital forensics also isn’t concerned with prosecution or validity of evidence. This book is intended for digital forensics investigators and examiners at the civil, criminal, and administra- tive levels. Other facets of digital forensics are beyond the scope of this book. Keep in mind that depending on the jurisdiction and situation, forensic investigators and examiners might be the same or different personnel. In this book, the terms are used interchangeably.

For a more in-depth discussion of what the term “digital forensics” means, see “Digital Forensic Evidence Examination” (Fred Cohen, www.fredcohen.net/Books/2013-DFE-Examination.pdf, 2012).

Many groups have tried to create digital forensics certifications that could be recognized worldwide but have failed in this attempt. However, they have created certifications for spe- cific categories of practitioners, such as government investigators. Because digital evidence is everywhere, with ubiquitous access to mobile devices, the need for a global standardized

2 Chapter 1

Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

method is even more critical so that companies and governments can share and use digital evidence. In October 2012, an International Organization for Standardization (ISO) standard for digital forensics was ratified. This standard, ISO 27037 Information technology – Security techniques – Guidelines for identification, collection, acquisition and preservation of digital evidence, defines the personnel and methods for acquiring and preserving digital evidence. To address the multinational cases that continue to emerge, agencies in every country should develop policies and procedures that meet this standard.

The Federal Rules of Evidence (FRE), signed into law in 1973, was created to ensure consis- tency in federal proceedings, but many states’ rules map to the FRE, too. In another attempt to standardize procedures, the FBI Computer Analysis and Response Team (CART) was formed in 1984 to handle the increase in cases involving digital evidence. Figure 1-1 shows the home page for the FBI CART. By the late 1990s, CART had teamed up with the Depart- ment of Defense Computer Forensics Laboratory (DCFL) for research and training. Much of the early curriculum in this field came from the DCFL.

Files maintained on a computer are covered by different rules, depending on the nature of the documents. Many court cases in state and federal courts have developed and clarified how the rules apply to digital evidence. The Fourth Amendment to the U.S. Constitution (and each state’s constitution) protects everyone’s right to be secure in their person, residence, and prop- erty from search and seizure. Continuing development of the jurisprudence of this amendment has played a role in determining whether the search for digital evidence has established a differ- ent precedent, so separate search warrants might not be necessary. However, when preparing to search for evidence in a criminal case, many investigators still include the suspect’s computer and its components in the search warrant to avoid later admissibility problems.

1

Figure 1-1 The FBI CART Web site Source: www.fbi.gov/about-us/otd/image/cart-team/view

An Overview of Digital Forensics 3

Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

In an important case involving these issues, the Pennsylvania Supreme Court addressed expectations of privacy and whether evidence is admissible (see Commonwealth v. Copenhe- fer, 587 A.2d 1353, 526 Pa. 555 [1991]). Initial investigations by the FBI, state police, and local police resulted in discovering computer-generated notes and instructions—some of which had been deleted—that had been concealed in hiding places around Corry, Pennsylva- nia. The investigation also produced several possible suspects, including David Copenhefer, who owned a nearby bookstore and apparently had bad relationships with the victim and her husband. Examination of trash discarded from Copenhefer’s store revealed drafts of the ransom note and directions. Subsequent search warrants resulted in seizure of evidence against him. Copenhefer’s computer contained several drafts and amendments of the text of phone calls to the victim and the victim’s husband the next day, the ransom note, the series of hidden notes, and a plan for the entire kidnapping scheme (Copenhefer, p. 559).

On direct appeal, the Pennsylvania Supreme Court concluded that the physical evidence, including the digital forensics evidence, was sufficient to support the bookstore owner’s con- viction. Copenhefer’s argument was that “[E]ven though his computer was validly seized pur- suant to a warrant, his attempted deletion of the documents in question created an expectation of privacy protected by the Fourth Amendment. Thus, he claims, under Katz v. United States, 389 U.S. 347, 357, 88 S.Ct. 507, 19 L.Ed.2d 576 (1967), and its progeny, Agent Johnson’s retrieval of the documents, without first obtaining another search warrant, was unreasonable under the Fourth Amendment and the documents thus seized should have been suppressed” (Copenhefer, p. 561).

The Pennsylvania Supreme Court rejected this argument, stating, “A defendant’s attempt to secrete evidence of a crime is not synonymous with a legally cognizable expectation of pri- vacy. A mere hope for secrecy is not a legally protected expectation. If it were, search war- rants would be required in a vast number of cases where warrants are clearly not necessary” (Copenhefer, p. 562).

Every U.S. jurisdiction has case law related to the admissibility of evidence recovered from computers and other digital devices. As you learn in this book, however, the laws on digital evidence vary between states as well as between provinces and countries.

The U.S. Department of Justice offers a useful guide to search and seizure procedures for computers and computer evidence at www.justice.gov/criminal/cybercrime/docs/ccmanual.pdf.

Digital Forensics and Other Related Disciplines According to DIBS USA, Inc., a privately owned corporation specializing in digital forensics since the 1990s (www.dibsforensics.com), digital forensics involves scientifically examining and ana- lyzing data from computer storage media so that it can be used as evidence in court. In the National Institute of Standards and Technology (NIST) document “Guide to Integrating Forensic Techniques into Incident Response” (http://csrc.nist.gov/publications/nistpubs/800-86/SP800- 86.pdf, 2006), digital forensics is defined as “the application of science to the identification, col- lection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.” Typically, investigating digital devices includes collecting data securely, examining suspect data to determine details such as origin and content, presenting digital information to courts, and applying laws to digital device practices.

4 Chapter 1

Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

In general, digital forensics is used to investigate data that can be retrieved from a computer’s hard drive or other storage media. Like an archaeologist excavating a site, digital forensics examiners retrieve information from a computer or its components. The information retrieved might already be on the drive, but it might not be easy to find or decipher. On the other hand, network forensics yields information about how attackers gain access to a network along with files they might have copied, examined, or tampered with. Network forensics examiners use log files to determine when users logged on and determine which URLs users accessed, how they logged on to the network, and from what location. Network forensics also tries to determine what tracks or new files were left behind on a victim’s computer and what changes were made. In Chapter 10, you explore when and how network forensics should be used in an investigation.

Digital forensics is also different from data recovery, which involves retrieving information that was deleted by mistake or lost during a power surge or server crash, for example. In data recovery, typically you know what you’re looking for. Digital forensics is the task of recover- ing data that users have hidden or deleted, with the goal of ensuring that the recovered data is valid so that it can be used as evidence. In this regard, digital forensics differs from other types of evidence recovered from a scene. When investigators in a crime scene unit retrieve blood or hair or bullets, they can identify what it is. When a laptop, smartphone, or other digital device is retrieved, its contents are unknown and pose a challenge to the examiner. The evidence can be inculpatory evidence (in criminal cases, the expression is “incriminating”) or exculpatory evidence, meaning it tends to clear the suspect. Examiners often approach a digital device not knowing whether it contains evidence. They must search storage media and piece together any data they find. Forensics software tools can be used for most cases. In extreme cases, examiners can use electron microscopes and other sophisticated equipment to retrieve information from machines that have been damaged or reformatted purposefully. This method is usually cost prohibitive, so it’s not normally used.

Forensics investigators often work as part of a team to secure an organization’s computers and networks. The digital investigation function can be viewed as part of a triad that makes up computing security. Rapid progress in technology has resulted in an expansion of the skills needed and varies depending on the organization using practitioners in this field. Figure 1-2 shows the investigations triad made up of these functions:

• Vulnerability/threat assessment and risk management

• Network intrusion detection and incident response

• Digital investigations

Each side of the triad in Figure 1-2 represents a group or department responsible for perform- ing the associated tasks. Although each function operates independently, all three groups draw from one another when a large-scale computing investigation is being conducted. By combining these three groups into a team, all aspects of a digital technology investigation can be addressed without calling in outside specialists. In smaller companies, one group might perform all the tasks shown in the investigations triad, or a small company might contract with service providers to perform these tasks.

When you work in the vulnerability/threat assessment and risk management group, you test and verify the integrity of stand-alone workstations and network servers. This integrity check covers the physical security of systems and the security of operating systems (OSs) and appli- cations. People working in this group (often known as penetration testers) test for vulnerabil- ities of OSs and applications used in the network and conduct authorized attacks on the

1

An Overview of Digital Forensics 5

Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

network to assess vulnerabilities. Typically, people performing this task have several years of experience in system administration. Their job is to poke holes in the network to help an or- ganization be better prepared for a real attack.

Professionals in the vulnerability assessment and risk management group also need skills in network intrusion detection and incident response. This group detects intruder attacks by using automated tools and monitoring network firewall logs. When an external attack is detected, the response team tracks, locates, and identifies the intrusion method and denies further access to the network. If an intruder launches an attack that causes damage or poten- tial damage, this team collects the necessary evidence, which can be used for civil or criminal litigation against the intruder and to prevent future intrusions. If an internal user is engaged in illegal acts or policy violations, the network intrusion detection and incident response group might assist in locating the user. For example, someone at a community college sends e-mails containing a worm to other users on the network. The network team realizes the e-mails are coming from a node on the internal network, and the security team focuses on that node. The digital investigations group manages investigations and conducts forensics analysis of systems suspected of containing evidence related to an incident or a crime. For complex casework, this group draws on resources from personnel in vulnerability assessment, risk management, and network intrusion detection and incident response. However, the digital investigations group typically resolves or terminates case investigations.

A Brief History of Digital Forensics Forty years ago, few people imagined that computers would be an integral part of everyday life. Now computer technology is commonplace, as are crimes in which a computer is the instrument of the crime, the target of the crime, and, by its nature, the location where evidence is stored.

By the 1970s, electronic crimes were increasing, especially in the financial sector. Most com- puters in that era were mainframes, used by trained people with specialized skills who worked in finance, engineering, and academia. White-collar fraud began when people in these industries saw a way to make money by manipulating computer data. One of the most well- known crimes of the mainframe era is the one-half cent crime. Banks commonly tracked money in accounts to the third decimal place or more. They used and still use the rounding-up

Digital Investigations

Vu ln

er ab

ilit y/

Th re

at A

ss es

sm en

t a nd

Ri sk

M an

ag em

en t

Network Intrusion Detection

and Incident Response

Figure 1-2 The investigations triad ª 2016 Cengage Learning�

6 Chapter 1

Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

accounting method when paying interest. If the interest applied to an account resulted in a frac- tion of a cent, that fraction was used in the calculation for the next account until the total resulted in a whole cent. It was assumed that eventually every customer would benefit from this averaging. Some computer programmers corrupted this method by opening an account for themselves and writing programs that diverted all the fractional monies into their accounts. In small banks, this practice amounted to only a few hundred dollars a month. In large banks with millions of accounts, however, the amount could reach hundreds of thousands of dollars.

During this time, most law enforcement officers didn’t know enough about computers to ask the right questions or to preserve evidence for trial. Many began to attend the Federal Law Enforcement Training Center (FLETC) programs designed to train law enforcement in han- dling digital data.

As PCs gained popularity and began to replace mainframe computers in the 1980s, many dif- ferent OSs emerged. Apple released the Apple IIe in 1983 and then the Macintosh in 1984. Computers such as the TRS-80 and Commodore 64 were the machines of the day. CP/M machines, such as the Kaypro and Zenith, were also in demand.

Disk Operating System (DOS) was available in many varieties, including PC-DOS, QDOS, DR-DOS, IBM-DOS, and MS-DOS. Forensics tools at that time were simple, and most were generated by government agencies, such as the Royal Canadian Mounted Police (RCMP, which had its own investigative tools) and the U.S. Internal Revenue Service (IRS). Most tools were written in C and assembly language and weren’t available to the general public.

In the mid-1980s, a new tool, Xtree Gold, appeared on the market. It recognized file types and retrieved lost or deleted files. Norton DiskEdit soon followed and became the preferred tool for finding and recovering deleted files. You could use these tools on the most powerful PCs of that time; IBM-compatible computers had hard disks of 10 to 40 MB and two floppy drives, as shown in Figure 1-3.

1

Figure 1-3 An 8088 computer ª iStockPhoto.com/Maxiphoto

An Overview of Digital Forensics 7

Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

In 1987, Apple produced the Mac SE, a Macintosh with an external EasyDrive hard disk with 60 MB of storage (see Figure 1-4). At this time, the popular Commodore 64 still used standard audiotapes to record data, so the Mac SE represented an important advance in com- puter technology.

By the early 1990s, specialized tools for digital forensics were available. The International Association of Computer Investigative Specialists (IACIS) introduced training on software for digital forensics examinations, and the IRS created search-warrant programs. However, no commercial GUI software for digital forensics was available until ASR Data created Expert Witness for Macintosh. This software could recover deleted files and fragments of deleted files. One of the ASR Data partners later left and developed EnCase, which became a popular digital forensics tool.

As computer technology continued to evolve, more digital forensics software was developed. The introduction of large hard disks posed new problems for investigators. Most DOS-based software didn’t recognize a hard disk larger than 8 GB. Because contemporary computers have hard disks of 500 GB and often much larger, changes in forensics software were needed. Later in this book, you explore the challenges of examining older software and hardware.

Other tools, such as ILook, which is currently maintained by the IRS Criminal Investigation Division and limited to law enforcement, can analyze and read special files that are copies of a disk. AccessData Forensic Toolkit (FTK) has become a popular commercial product that performs similar tasks in the law enforcement and civilian markets.

As software companies become savvier about digital forensics and investigations, they are producing more forensics tools to keep pace with technology. This book describes several tools but by no means all available tools. You should refer to trade publications, e-zines, and Web sites to stay current.

Understanding Case Law Existing laws and statutes simply can’t keep up with the rate of technological change. There- fore, when statutes or regulations don’t exist, case law is used. In common law nations, such as the United States, case law allows legal counsel to apply previous similar cases to current

Figure 1-4 A Mac SE with an external EasyDrive hard disk ª Cengage Learning�

8 Chapter 1

Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

ones in an effort to address ambiguity in laws. Examiners must be familiar with recent court rulings on search and seizure in the electronic environment to avoid mistakes such as exceed- ing a search warrant’s authority. Recent events involving privacy incursions by government agencies have resulted in new laws and policies. Developments in technology have changed how everyday events are viewed. For example, what should be considered private conversa- tions? Which devices are actually protected?

Although law enforcement can certainly confiscate anything an arrested person is carrying and log that a device, such as a smartphone, was on the person, they don’t necessarily have the right or authority to search the device. These actions are being challenged in courts con- stantly. Remaining vigilant in keeping up with changing case law is critical to being an effec- tive digital forensics investigator.

Developing Digital Forensics Resources To be a successful digital forensics investigator, you must be familiar with more than one com- puting platform. In addition to older platforms, such as DOS, Windows 9x, and Windows XP, you should be familiar with Linux, Macintosh, and current Windows platforms. However, no one can be an expert in every aspect of computing. Likewise, you can’t know everything about the technology you’re investigating. To supplement your knowledge, you should develop and maintain contact with computing, network, and investigative professionals.

Join computer user groups in both the public and private sectors. In the Pacific Northwest, for example, Computer Technology Investigators Network (CTIN) meets to discuss problems that digital forensics examiners encounter. This nonprofit organization also conducts training. IACIS is an excellent group for law enforcement personnel but doesn’t have local chapters. However, groups such as the High Technology Crime Investigation Association, International Information Systems Security Certification Consortium (ISC2), and InfraGard have local chap- ters open to professionals in most major cities. Build your own network of digital forensics experts, and keep in touch through e-mail. Cultivate professional relationships with people who specialize in technical areas different from your own specialty. If you’re a Windows expert, for example, maintain contact with experts in Linux, UNIX, and Macintosh. If you’re using social media to interact with experts, exercise caution and good judgment when commu- nicating with people you haven’t met in person or whose backgrounds you don’t know.

User groups can be especially helpful when you need information about obscure OSs. For example, a user group helped convict a child molester in Pierce County, Washington, in 1996. The suspect installed video cameras throughout his house, served alcohol to young women to intoxicate them, and secretly filmed them playing strip poker. When he was accused of molesting a child, police seized his computers and other physical evidence. The in- vestigator discovered that the computers used CoCo DOS, an OS that had been out of use for years. The investigator contacted a local user group, which supplied the standard com- mands and other information needed to access the system. On the suspect’s computer, the investigator found a diary detailing the suspect’s actions over 15 years, including the molesta- tion of more than 400 young women. As a result, the suspect received a longer sentence than if he had been convicted of molesting only one child.

Outside experts can also give you detailed information you need to retrieve digital evidence. For example, a recent murder case involved a husband and wife who owned a Macintosh store. When the wife was discovered dead, apparently murdered, investigators found that she

1

An Overview of Digital Forensics 9

Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

had wanted to leave her husband but didn’t because of her religious beliefs. The police got a search warrant and confiscated the home and office computers. When the detective on the case examined the home system, he found that the hard drive had been compressed and erased. He contacted a Macintosh engineer, who determined the two software programs used to compress the drive. With this knowledge, the detective could retrieve information from the hard drive, including text files indicating that the husband spent $35,000 in business funds to purchase cocaine and prostitution services. This evidence proved crucial in making it possible to convict the husband of murder.

Preparing for Digital Investigations Digital investigations can be categorized several ways. For the purposes of this discussion, however, they fall into two categories: public-sector investigations and private-sector investi- gations (see Figure 1-5).

In general, public-sector investigations involve government agencies responsible for criminal investigations and prosecution. Government agencies range from municipal, county, and state or provincial police departments to federal law enforcement agencies. These

Figure 1-5 Public-sector and private-sector investigations ª Cengage Learning�

10 Chapter 1

Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

organizations must observe legal guidelines of their jurisdictions, such as Article 8 in the Charter of Rights of Canada and the Fourth Amendment to the U.S. Constitution restricting government search and seizure (see Figure 1-6). The law of search and seizure in the United States protects the rights of people, including people suspected of crimes; as a digital forensics examiner, you must follow these laws. The Department of Justice (DOJ) updates information on computer search and seizure regularly.

Private-sector investigations focus more on policy violations, such as not adhering to Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations. However, crimi- nal acts, such as corporate espionage, can also occur. So although private-sector investiga- tions often start as civil cases, they can develop into criminal cases; likewise, a criminal case can have implications leading to a civil case. If you follow good forensics procedures, the evi- dence found in your examinations can make the transition between civil and criminal cases.

Understanding Law Enforcement Agency Investigations When conducting public-sector investigations, you must understand laws on computer- related crimes, including standard legal processes, guidelines on search and seizure, and how to build a criminal case. In a criminal case, a suspect is charged with a criminal offense, such as burglary, murder, molestation, or fraud. To determine whether there was a computer crime, an investigator asks questions such as the following: What was the tool used to com- mit the crime? Was it a simple trespass? Was it a theft or vandalism? Did the perpetrator infringe on someone else’s rights by cyberstalking or e-mail harassment?

Laws, including procedural rules, vary by jurisdiction. Therefore, this book points out when items accepted in U.S. courts don’t stand up in other courts. Lately, a major issue has been that European Union (EU) privacy laws are more stringent than U.S. privacy laws. Issues related to international companies are still being defined. Over the past few

1

Figure 1-6 The Fourth Amendment ª Cengage Learning�

Preparing for Digital Investigations 11

Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

decades, more companies have been consolidating into global entities. As a result, internal company investigations can involve laws of multiple countries. For example, a company has a subsidiary operating in Australia. An employee at that subsidiary is suspected of fraud, and as part of your investigation, you need to seize his cell phone. Under U.S. law, you can if he used it on company property and synchronized it with the company network. Under Australian law, you can’t.

Computers and networks might be only tools used to commit crimes and are, therefore, analo- gous to the lockpick a burglar uses to break into a house. For this reason, many states have added specific language to criminal codes to define crimes involving computers. States such as Alabama have wording such as “willfully or without authorization” and specify what dollar amount qualifies as a misdemeanor or a felony. For example, they have expanded the definition of laws for crimes such as theft to include taking data from a computer without the owner’s per- mission, so computer theft is now on a par with shoplifting or car theft. States have also enacted specific criminal statutes that address computer-related crimes but typically don’t include digital issues in standard trespass, theft, vandalism, or burglary laws. The Computer Fraud and Abuse Act was passed in 1986, but specific state laws were generally developed later.

For information on how each state defines and addresses computer- related crimes, see http://statelaws.findlaw.com/criminal-laws/computer- crimes/.

Many serious crimes involve computers, smartphones, and other digital devices. The most notorious are those involving sexual exploitation of minors. Digital images are stored on hard disks, flash drives, removable hard drives, and the cloud and are circulated on the Inter- net. Other computer crimes concern missing children and adults because information about missing people is often found on computers. Drug dealers, car theft rings, and other criminals often keep information about transactions on their computers, laptops, smartphones, and other devices.

Following Legal Processes When conducting a computer investigation for potential criminal violations of the law, the legal processes you follow depend on local custom, legislative standards, and rules of evi- dence. In general, however, a criminal case follows three stages: the complaint, the investiga- tion, and the prosecution. Someone files a complaint, and then a specialist investigates the complaint and, with the help of a prosecutor, collects evidence and builds a case. If the evi- dence is sufficient, the case might proceed to trial.

A criminal investigation generally begins when someone finds evidence of or witnesses an ille- gal act. The witness or victim makes an allegation to the police, an accusation of fact that a crime has been committed.

A police officer interviews the complainant and writes a report about the crime. The law enforcement agency processes the report, and management decides to start an investigation or log the information into a police blotter, which provides a record of information about crimes that have been committed previously. Criminals often repeat actions in their illegal

12 Chapter 1

Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

activities, and these patterns can be discovered by examining police blotters. This historical knowledge is useful when conducting investigations, especially in high-technology crimes. Blotters now are generally electronic files, often structured as databases, so they can be searched more easily than the old paper blotters.

To see an example of a police blotter, go to http://spdblotter.seattle.gov.

Not every police officer is a computer expert. Some are computer novices; others might be trained to recognize what they can retrieve from a computer disk. To differentiate the training and expe- rience officers have, ISO standard 27037 (www.iso.org/iso/catalogue detail?csnumber¼44381) defines two categories. A Digital Evidence First Responder (DEFR) has the skill and training to arrive on an incident scene, assess the situation, and take precautions to acquire and preserve evidence. A Digital Evidence Specialist (DES) has the skill to analyze the data and determine when another specialist should be called in to assist with the analysis.

If you’re an examiner assigned to a case, recognize the level of expertise of police officers and others involved in the case. You should have DES training to conduct the examination of sys- tems and manage the digital forensics aspects of the case. You start by assessing the scope of the case, which includes the computer’s OS, hardware, and peripheral devices. You then determine whether resources are available to process all the evidence. Determine whether you have the right tools to collect and analyze evidence and whether you need to call on other specialists to assist in collecting and processing evidence. After you have gathered the resour- ces you need, your role is to delegate, collect, and process the information related to the com- plaint. After you build a case, the information is turned over to the prosecutor. As an investigator, you must then present the collected evidence with a report to the government’s attorney. Depending on the community and the nature of the crime, the prosecutor’s title varies by jurisdiction.

In a criminal or public-sector case, if the police officer or investigator has sufficient cause to support a search warrant, the prosecuting attorney might direct him or her to submit an affi- davit (also called a “declaration”). This sworn statement of support of facts about or evi- dence of a crime is submitted to a judge with the request for a search warrant before seizing evidence. Figure 1-7 shows a typical affidavit. It’s your responsibility to write the affidavit, which must include exhibits (evidence) that support the allegation to justify the warrant. You must then have the affidavit notarized under sworn oath to verify that the information in the affidavit is true. (You learn more about affidavits and declarations in Chapter 14.)

In general, after a judge approves and signs a search warrant, it’s ready to be executed, mean- ing a DEFR can collect evidence as defined by the warrant. After you collect the evidence, you process and analyze it to determine whether a crime actually occurred. The evidence can then be presented in court in a hearing or trial. A judge or an administrative law judge then renders a judgment, or a jury hands down a verdict (after which a judge can enter a judgment).

1

Preparing for Digital Investigations 13

Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Understanding Private-Sector Investigations Private-sector investigations involve private companies and lawyers who address company policy violations and litigation disputes, such as wrongful termination. When conducting an investigation for a private company, remember that business must continue with minimal interruption from your investigation. Because businesses usually focus on continuing their usual operations and making profits, many in a private-sector environment consider your investiga- tion and apprehension of a suspect secondary to stopping the violation and minimizing damage or loss to the business. Businesses also strive to minimize or eliminate litigation, which is an expensive way to address criminal or civil issues. Private-sector computer crimes can involve e-mail harassment, falsification of data, gender and age discrimination, embezzlement, sabo- tage, and industrial espionage, which involves selling sensitive or confidential company infor- mation to a competitor. Anyone with access to a computer can commit these crimes.

Establishing Company Policies One way that businesses can reduce the risk of litigation is to publish and maintain policies that employees find easy to read and follow. In addition, these policies can make internal investigations go more smoothly. The most impor- tant policies are those defining rules for using the company’s computers and networks; this type of policy is commonly known as an “acceptable use policy.” Organizations should have all employees sign this acceptable use agreement. Published company policies also provide a line of authority for conducting internal investigations; it states who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence.

Well-defined policies give computer investigators and forensics examiners the authority to conduct an investigation. Policies also demonstrate that an organization intends to be

Figure 1-7 Typical affidavit language ª Cengage Learning�

14 Chapter 1

Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

fair-minded and objective about how it treats employees and state that the organization will follow due process for all investigations. (“Due process” refers to fairness under the law and is meant to protect all.) Without defined policies, a business risks exposing itself to litigation from current or former employees. The person or committee in charge of maintaining com- pany policies must also stay current with applicable laws, which can vary depending on the city, state, and country. In addition, training and updates on standards and policies should be scheduled regularly to keep employees informed of what should and shouldn’t be done on the organization’s network.

Displaying Warning Banners Another way a private or public organization can avoid litigation is to display a warning banner on computer screens. A warning banner usu- ally appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will. (An end user is a person using a com- puter to perform routine tasks other than system administration.) If this right isn’t stated ex- plicitly, employees might have an assumed right of privacy when using a company’s computer systems and network accesses. Figure 1-8 shows a sample warning banner.

A warning banner asserts the right to conduct an investigation and notifies the user. By dis- playing a strong, well-worded warning banner, an organization owning computer equipment doesn’t need a search warrant or court order as required under Fourth Amendment search- and-seizure rules to seize the equipment. In a company with a well-defined policy, this right to inspect or search at will applies to both criminal activity and company policy violations. Keep in mind, however, that your country’s laws might differ. For example, in some coun- tries, even though the company has the right to seize computers at any time, if employees are suspected of a criminal act, they must be informed at that time.

The following list recommends phrases to include in warning banners. Before using these warnings, consult with the organization’s legal department for other required legal notices for your work area or department. Depending on the type of organization, the following text can be used in internal warning banners:

• Access to this system and network is restricted.

• Use of this system and network is for official business only.

• Systems and networks are subject to monitoring at any time by the owner.

1

Figure 1-8 A sample warning banner ª Cengage Learning�

Preparing for Digital Investigations 15

Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

• Using this system implies consent to monitoring by the owner.

• Unauthorized or illegal users of this system or network will be subject to discipline or prosecution.

• Users of this system agree that they have no expectation of privacy relating to all activ- ity performed on this system.

The DOJ document at www.justice.gov/criminal/cybercrime/docs/ ssmanual2009.pdf has several examples of warning banners.

An organization such as a community college might simply state that systems and networks are subject to observation and monitoring at any time because members of the local commu- nity who aren’t staff or students might use the facilities. A for-profit organization, on the other hand, could have proprietary information on its network and use all the phrases sug- gested in the preceding list.

Guests, such as employees of business partners, might be allowed to use the system. The text that’s displayed when a guest attempts to log on can include warnings similar to the following:

• This system is the property of Company X.

• This system is for authorized use only; unauthorized access is a violation of law and violators will be prosecuted.

• All activity, software, network traffic, and communications are subject to monitoring.

As a private-sector digital investigator, make sure a company displays a clearly worded warn- ing banner. Without a banner, your authority to inspect might conflict with the user’s expec- tation of privacy, and a court might have to determine the issue of authority to inspect. State laws vary on the expectation of privacy, but all states accept the concept of a waiver of the expectation of privacy. Additionally, the EU and its member nations impose substantial pen- alties for personal information that crosses national boundaries without the person’s consent. For example, if your company is conducting an investigation at its subsidiary in the EU, you might not be able to acquire a network drive without notifying certain parties or making sure consent documents are in place.

Some might argue that written policies are all that are necessary. However, in the actual pros- ecution of cases, warning banners have been critical in determining that a user didn’t have an expectation of privacy for information stored on the system. A warning banner has the addi- tional advantage of being easier to present in trial as an exhibit than a policy manual. Gov- ernment agencies, such as the Department of Energy, NASA, Lawrence Livermore Labs, and even public libraries, now require warning banners on all computer terminals on their sys- tems. Many corporations also require warning banners as part of the logon/startup process.

Designating an Authorized Requester As mentioned, investigations must es- tablish a line of authority. In addition to using warning banners that state a company’s rights of computer ownership, businesses are advised to specify an authorized requester who has the power to initiate investigations. Executive management should define a policy to avoid conflicts from competing interests in organizations. In large organizations, competition for

16 Chapter 1

Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).

Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

funding or management support can become so fierce that people might create false allega- tions of misconduct to prevent competing departments from delivering a proposal for the same source of funds.

To avoid inappropriate investigations, executive management must also define and limit who’s authorized to request a computer investigation and forensics analysis. Generally, the fewer groups with authority to request a computer investigation, the better. Examples of groups with this authority in a private-sector environment include following:

• Corporate security investigations

• Corporate ethics office

• Corporate equal employment opportunity office

• Internal auditing

• The general counsel or legal department

All other groups should coordinate their requests through the corporate security investigations group. This policy separates the investigative process from the process of employee discipline.

Conducting Security Investigations Conducting a digital investigation in the private sector is not much different from conducting one in the public sector. During public investigations, you search for evidence to support criminal allegations. During private investigations, you search for evidence to support allegations of violations of a company’s rules or an attack on its assets. Three types of situations are common in private-sector environments:

• Abuse or misuse of computing assets

Homework is Completed By:

Writer Writer Name Amount Client Comments & Rating
Instant Homework Helper

ONLINE

Instant Homework Helper

$36

She helped me in last minute in a very reasonable price. She is a lifesaver, I got A+ grade in my homework, I will surely hire her again for my next assignments, Thumbs Up!

Order & Get This Solution Within 3 Hours in $25/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 3 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

Order & Get This Solution Within 6 Hours in $20/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 6 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

Order & Get This Solution Within 12 Hours in $15/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 12 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

6 writers have sent their proposals to do this homework:

Solution Provider
Assignment Hub
Financial Assignments
Assignment Helper
Top Grade Essay
Best Coursework Help
Writer Writer Name Offer Chat
Solution Provider

ONLINE

Solution Provider

Hello, I an ranked top 10 freelancers in academic and contents writing. I can write and updated your personal statement with great quality and free of plagiarism

$47 Chat With Writer
Assignment Hub

ONLINE

Assignment Hub

You can award me any time as I am ready to start your project curiously. Waiting for your positive response. Thank you!

$46 Chat With Writer
Financial Assignments

ONLINE

Financial Assignments

You can award me any time as I am ready to start your project curiously. Waiting for your positive response. Thank you!

$40 Chat With Writer
Assignment Helper

ONLINE

Assignment Helper

I have read and understood all your initial requirements, and I am very professional in this task.

$30 Chat With Writer
Top Grade Essay

ONLINE

Top Grade Essay

I have read and understood all your initial requirements, and I am very professional in this task.

$41 Chat With Writer
Best Coursework Help

ONLINE

Best Coursework Help

Hello, I an ranked top 10 freelancers in academic and contents writing. I can write and updated your personal statement with great quality and free of plagiarism

$28 Chat With Writer

Let our expert academic writers to help you in achieving a+ grades in your homework, assignment, quiz or exam.

Similar Homework Questions

Health Care Delivery Systems Essay - Skinhead deadhead everybody gone bad - Paradox in macbeth act 1 scene 2 - The alamo drafthouse case study - Igcse biology notes revision - Main characters in the great debaters - Joe bloggs mystery disease diagnosis - Physics 151 csulb - Husky injection molding systems case - Jackson county senior services is a nonprofit organization - Wasserman, Charleston Shooting(2015).jpg - Ucsc computer science game design curriculum chart - Quindlen anna a quilt of a country - Ldx 2101 vs 2205 - Access module 1 sam textbook project - Capscare nursing - Wk 3 - Topics in Consumer Behavior Presentation - Damon zumwalt net worth - University of nottingham malaysia postcode - Evaluate the expression upper p - Td o connell wichita ks - Social science inquiry - 316 pringles road martinsville - The mission statement of coca cola - Power bi healthcare examples - Chapter 7 Discussion - Management accounting - Smarthinking writer's handbook - Johnson and johnson unethical practices ppt - What is the appendix of a report - Who does macbeth kill first - Complete the reaction cao h2o - The marketing concept ebook - Contemporary issue position essay - Roaring flame bunsen burner - Make your own gas mask - Sui sin far mrs spring fragrance analysis - Hilton hotels customizes rooms and lobbies according to location - Monash lss clerkship guide - APA Citation Tutorial - Saddle inc has two types of handbags - Capital project fund journal entries examples - How you plan to avoid operational transaction and translation exposure - I need 600 words answering he questions on Developing a Market - Class 1 cavity prep - Edmund emil kemper ii - Md-101 study guide pdf - Dashboard benchmark evaluation - Apa referencing guide rmit - Doug harrison versacold - Customary capacity practice and homework lesson 10.2 answer key - NTC/320: Discussion - Implementation Plan - When was the 300 lb wrestler on television math worksheet - Human experience across the health illness continuum - Four lenses of wellness - Complementary strand of dna - Solving trig equations in a given interval - Cloud Computing Discussion 1 - Internal marketing in hotel industry - Data science methodology for emails - As you have matured, you have developed your own morals and values to which you adhere. Understanding these morals and values can help you set goals for future employment. Develop a priority list of important values and ethical standards by which you live. Then answer these questions: How will these impact your job search? Be sure to describe how job industries, job roles, business mission statements, salary, etc. (add whatever else you expect) will be involved. Are there any trades-offs that you expect you will have to make in order to get a job? - Palo alto url filtering - International business essay questions and answers - Question of international studies - Mcdonald's is which type of supply chain partner to gavina - Fireproof movie questions and answers - Navy shipboard collective protection system decontamination steps - Nh4oh hcl balanced equation - St mark's church barbados - Stand and proclaim by benita washington lyrics - Sap crm pipeline performance management - Doublewide dealers has an roa of 10 - Psychology 2 - Www learningchocolate com content classroom - The reason college costs more than you think - Which american composer was an insurance salesman in everyday life - Fire tank capacity as per nbc - 78.1 kg in stone - Holy sonnets death be not proud by john donne - Vce business management study design - Meijer one stop portal userphone - Amazons vision statement - Sadie coles rudolf stingel - Dyson core competencies - International causes of the great depression - Assignment 04.11 write your argument - French speaking countries flags - Returns and Bond Ratings assignment - Kitchen renovation project charter - Clinical Field Experience A: Understanding Collaboration - Roles and Responsibilities - Student exploration gravitational force answer key - Project management for business engineering and technology 5th edition pdf - Beta distribution pmp - IA week9 DB - Honda cub owners club uk - Neptune's necklace physiological adaptations - Healthcare Management - How to calculate nursing staffing needs - Gcu substantive post - Instruments of darkness macbeth