Loading...

Messages

Proposals

Stuck in your homework and missing deadline? Get urgent help in $10/Page with 24 hours deadline

Get Urgent Writing Help In Your Essays, Assignments, Homeworks, Dissertation, Thesis Or Coursework & Achieve A+ Grades.

Privacy Guaranteed - 100% Plagiarism Free Writing - Free Turnitin Report - Professional And Experienced Writers - 24/7 Online Support

The majority of immigrants who entered the united states circa 1907 came from

16/12/2020 Client: saad24vbs Deadline: 2 Day

ISSA INFORMATION SYSTEMS SECURITY & ASSURANCE SERIES


Fundamentals of Communications and Networking, Second Edition Michael G. Solomon and David Kim


Fundamentals of Information Systems Security, Third Edition David Kim and Michael G. Solomon


Legal Issues in Information Security, Second Edition Joanna Lyn Grama


Managing Risk in Information Systems, Second Edition Darril Gibson


Security Policies and Implementation Issues, Second Edition Rob Johnson


Auditing IT Infrastructures for Compliance, Second Edition Martin Weiss and Michael G. Solomon


Access Control, Authentication, and Public Key Infrastructure, Second Edition Mike Chapple, Bill Ballad, Tricia Ballad, and Erin Banks


Security Strategies in Windows Platforms and Applications, Second Edition


Michael G. Solomon


Security Strategies in Linux Platforms and Applications, Second Edition Michael Jang and Ric Messier


Network Security, Firewalls, and VPNs, Second Edition J. Michael Stewart


Hacker Techniques, Tools, and Incident Handling, Second Edition Sean-Philip Oriyano


Internet Security: How to Defend Against Attackers on the Web, Second Edition Mike Harwood


System Forensics, Investigation, and Response, Third Edition Chuck Easttom


Cyberwarfare: Information Operations in a Connected World Mike Chapple and David Seidl


Wireless and Mobile Device Security Jim Doherty


JONES & BARTLETT LEARNING


The Information Systems Security & Assurance Series (ISSA) offers an interactive curriculum solution that covers the essential topics needed to support certification or degree programs within IT Security, Cybersecurity, Information


Assurance and Information Systems Security. Developed by certified professionals, the series delivers fundamental IT security principles and real-world applications, tools, and techniques used in today’s work force and necessary for accommodating the rapidly growing job demand for cybersecurity. The inclusion of robust courseware and innovative labs, delivered in a first-of-its kind “cloud” computing environment, offer a fully immersive cloud learning experience. Students can learn in a trial-and- error format in an experiential learning environment with no risk, gaining invaluable workplace-related skills essential to maintaining the security and confidentiality of their employers’ data assets. Visit http://www.issaseries.com/ for the most current information on text availability and additional information on the Virtual Security Cloud Labs.


http://www.issaseries.com/

System Forensics, Investigation, and Response


ISSA INFORMATION SYSTEMS SECURITY & ASSURANCE SERIES


THIRD EDITION


Chuck Easttom


JONES & BARTLETT LEARNING


World Headquarters Jones & Bartlett Learning 5 Wall Street Burlington, MA 01803 978-443-5000 info@jblearning.com www.jblearning.com


Jones & Bartlett Learning books and products are available through most bookstores and online booksellers. To contact Jones & Bartlett Learning directly, call 800-832-0034, fax 978-443-8000, or visit our website, www.jblearning.com.


Substantial discounts on bulk quantities of Jones & Bartlett Learning publications are available to corporations, professional associations, and other qualified organizations. For details and specific discount information, contact the special sales department at Jones & Bartlett Learning via the above contact information or send an email to specialsales@jblearning.com.


Copyright © 2019 by Jones & Bartlett Learning, LLC, an Ascend Learning Company


All rights reserved. No part of the material protected by this copyright may be reproduced or utilized in any form, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the copyright owner.


mailto:info@jblearning.com

http://www.jblearning.com

http://www.jblearning.com

mailto:specialsales@jblearning.com

The content, statements, views, and opinions herein are the sole expression of the respective authors and not that of Jones & Bartlett Learning, LLC. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise does not constitute or imply its endorsement or recommendation by Jones & Bartlett Learning, LLC and such reference shall not be used for advertising or product endorsement purposes. All trademarks displayed are the trademarks of the parties noted herein. System Forensics, Investigation, and Response, Third Edition is an independent publication and has not been authorized, sponsored, or otherwise approved by the owners of the trademarks or service marks referenced in this product.


There may be images in this book that feature models; these models do not necessarily endorse, represent, or participate in the activities represented in the images. Any screenshots in this product are for educational and instructive purposes only. Any individuals and scenarios featured in the case studies throughout this product may be real or fictitious, but are used for instructional purposes only.


This publication is designed to provide accurate and authoritative information in regard to the Subject Matter covered. It is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional service. If legal


advice or other expert assistance is required, the service of a competent professional person should be sought.


Production Credits VP, Executive Publisher: David D. Cella Executive Editor: Matt Kane Acquisitions Editor: Laura Pagluica Editorial Assistant: Mary Menzemer Associate Production Editor: Alex Schab Director of Marketing: Andrea DeFronzo Production Services Manager: Colleen Lamy VP, Manufacturing and Inventory Control: Therese Connell Composition: codeMantra U.S. LLC Cover Design: Scott Moden Rights & Media Specialist: Thais Miller Media Development Editor: Shannon Sheehan Cover Image (Title Page, Part Opener, Chapter Opener): © Click Bestsellers/Shutterstock Printing and Binding: Edwards Brothers Malloy Cover Printing: Edwards Brothers Malloy


Library of Congress Cataloging-in-Publication Data Names: Easttom, Chuck, author. Title: System forensics, investigation, and response / Chuck Easttom. Description: Third Edition. | Burlington, MA : Jones & Bartlett Learning, [2019] | Revised edition of the author’s System forensics, investigation, and response, c2014. Identifiers: LCCN 2017018109 | ISBN


9781284121841 Subjects: LCSH: Computer crimes—Investigation— Textbooks. Classification: LCC HV8079.C65 E37 2017 | DDC 363.25/968—dc23 LC record available at https://lccn.loc.gov/2017018109


6048


Printed in the United States of America 21 20 19 18 17 10 9 8 7 6 5 4 3 2 1


https://lccn.loc.gov/2017018109

Contents Preface


About the Author


PART I Introduction to Forensics


CHAPTER 1 Introduction to Forensics What Is Computer Forensics?


Using Scientific Knowledge


Collecting


Analyzing


Presenting


Understanding the Field of Digital Forensics


What Is Digital Evidence?


Scope-Related Challenges to System


Forensics


Types of Digital System Forensics


Analysis


General Guidelines


Knowledge Needed for Computer Forensics Analysis


Hardware


Software


Networks


Addresses


Obscured Information and Anti-Forensics


The Daubert Standard


U.S. Laws Affecting Digital Forensics


The Federal Privacy Act of 1974


The Privacy Protection Act of 1980


The Communications Assistance for Law


Enforcement Act of 1994


The Electronic Communications Privacy


Act of 1986


The Computer Security Act of 1987


The Foreign Intelligence Surveillance Act


of 1978


The Child Protection and Sexual Predator


Punishment Act of 1998


The Children’s Online Privacy Protection


Act of 1998


The Communications Decency Act of 1996


The Telecommunications Act of 1996


The Wireless Communications and Public


Safety Act of 1999


The USA Patriot Act of 2001


The Sarbanes-Oxley Act of 2002


18 U.S.C. § 1030: Fraud and Related


Activity in Connection with Computers


18 U.S.C. § 1020: Fraud and Related


Activity in Connection with Access Devices


The Digital Millennium Copyright Act


(DMCA) of 1998


18 U.S.C. § 1028A: Identity Theft and


Aggravated Identity Theft


18 U.S.C. § 2251: Sexual Exploitation of


Children


Warrants


Federal Guidelines


The FBI


The Secret Service


The Regional Computer Forensics


Laboratory Program


CHAPTER SUMMARY


KEY CONCEPTS AND TERMS


CHAPTER 1 ASSESSMENT


CHAPTER 2 Overview of Computer Crime


How Computer Crime Affects Forensics


Identity Theft


Phishing


Spyware


Discarded Information


How Does This Crime Affect Forensics?


Hacking


SQL Injection


Cross-Site Scripting


Ophcrack


Tricking Tech Support


Hacking in General


Cyberstalking and Harassment


Real Cyberstalking Cases


Fraud


Investment Offers


Data Piracy


Non-Access Computer Crimes


Denial of Service


Viruses


Logic Bombs


Cyberterrorism


How Does This Crime Affect Forensics?


CHAPTER SUMMARY


KEY CONCEPTS AND TERMS


CHAPTER 2 ASSESSMENT


CHAPTER 3 Forensic Methods and Labs


Forensic Methodologies


Handle Original Data as Little as Possible


Comply with the Rules of Evidence


Avoid Exceeding Your Knowledge


Create an Analysis Plan


Technical Information Collection


Considerations


Formal Forensic Approaches


Department of Defense Forensic


Standards


The Digital Forensic Research Workshop


Framework


The Scientific Working Group on Digital


Evidence Framework


An Event-Based Digital Forensics


Investigation Framework


Documentation of Methodologies and Findings


Disk Structure


File Slack Searching


Evidence-Handling Tasks


Evidence-Gathering Measures


Expert Reports


How to Set Up a Forensic Lab


Equipment


Security


American Society of Crime Laboratory


Directors


Common Forensic Software Programs


EnCase


Forensic Toolkit


OSForensics


Helix


Kali Linux


AnaDisk Disk Analysis Tool


CopyQM Plus Disk Duplication Software


The Sleuth Kit


Disk Investigator


Forensic Certifications


EnCase Certified Examiner Certification


AccessData Certified Examiner


OSForensics


Certified Cyber Forensics Professional


EC Council Computer Hacking Forensic


Investigator


High Tech Crime Network Certifications


Global Information Assurance Certification


Certifications


CHAPTER SUMMARY


KEY CONCEPTS AND TERMS


CHAPTER 3 ASSESSMENT


PART II Technical Overview: System Forensics Tools, Techniques, and Methods


CHAPTER 4 Collecting, Seizing, and Protecting Evidence Proper Procedure


Shutting Down the Computer


Transporting the Computer System to a


Secure Location


Preparing the System


Documenting the Hardware Configuration


of the System


Mathematically Authenticating Data on All


Storage Devices


Handling Evidence


Collecting Data


Documenting Filenames, Dates, and Times


Identifying File, Program, and Storage


Anomalies


Evidence-Gathering Measures


Storage Formats


Magnetic Media


Solid-State Drives


Digital Audio Tape Drives


Digital Linear Tape and Super DLT


Optical Media


Using USB Drives


File Formats


Forensic Imaging


Imaging with EnCase


Imaging with the Forensic Toolkit


Imaging with OSForensics


RAID Acquisitions


CHAPTER SUMMARY


KEY CONCEPTS AND TERMS


CHAPTER 4 ASSESSMENT


CHAPTER LAB


CHAPTER 5 Understanding Techniques for Hiding and Scrambling Information Steganography


Historical Steganography


Steganophony


Video Steganography


More Advanced Steganography


Steganalysis


Invisible Secrets


MP3Stego


Additional Resources


Encryption


The History of Encryption


Modern Cryptography


Breaking Encryption


CHAPTER SUMMARY


KEY CONCEPTS AND TERMS


CHAPTER 5 ASSESSMENT


CHAPTER 6 Recovering Data Undeleting Data


File Systems and Hard Drives


Windows


Forensically Scrubbing a File or Folder


Linux


Macintosh


Recovering Information from Damaged Media


Physical Damage Recovery Techniques


Recovering Data After Logical Damage


File Carving


CHAPTER SUMMARY


KEY CONCEPTS AND TERMS


CHAPTER 6 ASSESSMENT


CHAPTER 7 Email Forensics


How Email Works


Email Protocols


Faking Email


Email Headers


Getting Headers in Outlook


Getting Headers from Yahoo! Email


Getting Headers from Gmail


Other Email Clients


Email Files


Paraben’s Email Examiner


ReadPST


Tracing Email


Email Server Forensics


Email and the Law


The Fourth Amendment to the U.S.


Constitution


The Electronic Communications Privacy


Act


The CAN-SPAM Act


18 U.S.C. 2252B


The Communication Assistance to Law


Enforcement Act


The Foreign Intelligence Surveillance Act


The USA Patriot Act


CHAPTER SUMMARY


KEY CONCEPTS AND TERMS


CHAPTER 7 ASSESSMENT


CHAPTER 8 Windows Forensics


Windows Details


Windows History


64-Bit


The Boot Process


Important Files


Volatile Data


Tools


Windows Swap File


Windows Logs


Windows Directories


UserAssist


Unallocated/Slack Space


Alternate Data Streams


Index.dat


Windows Files and Permissions


MAC


The Registry


USB Information


Wireless Networks


Tracking Word Documents in the Registry


Malware in the Registry


Uninstalled Software


Passwords


ShellBag


Prefetch


Volume Shadow Copy


Memory Forensics


Volatility


CHAPTER SUMMARY


KEY CONCEPTS AND TERMS


CHAPTER 8 ASSESSMENT


CHAPTER 9 Linux Forensics


Linux and Forensics


Linux Basics


Linux History


Linux Shells


Graphical User Interface


K Desktop Environment (KDE)/Plasma


Linux Boot Process


Logical Volume Manager


Linux Distributions


Linux File Systems


Ext


The Reiser File System


The Berkeley Fast File System


Linux Logs


The /var/log/faillog Log


The /var/log/kern.log Log


The /var/log/lpr.log Log


The /var/log/mail.* Log


The /var/log/mysql.* Log


The /var/log/apache2/* Log


The /var/log/lighttpd/* Log


The /var/log/apport.log Log


Other Logs


Viewing Logs


Linux Directories


The /root Directory


The /bin Directory


The /sbin Directory


The /etc Folder


The /etc/inittab File


The /dev Directory


The /mnt Directory


The /boot Directory


The /usr Directory


The /var Directory


The /var/spool Directory


The /proc Directory


Shell Commands for Forensics


The Command


The Command


The Command


The Command


The Command


The Command


The Command


The Command


The Command


The Command


The Command


The Command


The Command


The Command


The Command


The Command


Can You Undelete in Linux?


Manual Method


Kali Linux Forensics


Forensics Tools for Linux


CHAPTER SUMMARY


KEY CONCEPTS AND TERMS


CHAPTER 9 ASSESSMENT


CHAPTER 10 Macintosh Forensics


Mac Basics


Mac History


Mac File Systems


Partition Types


Macintosh Logs


The /var/log Log


The /var/spool/cups Folder


The /Library/Receipts Folder


The /Users/<user>/.bash_history Log


The /var/vm Folder


The /Users/ Directory


The /Users/<user>/Library/Preferences/


Folder


Directories


The /Volumes Directory


The /Users Directory


The /Applications Directory


The /Network Directory


The /etc Directory


The


/Library/Preferences/SystemConfiguration/dom.apple.preferences.plist


File


Macintosh Forensic Techniques


Target Disk Mode


Searching Virtual Memory


Shell Commands


How to Examine a Mac


Can You Undelete in Mac?


CHAPTER SUMMARY


KEY CONCEPTS AND TERMS


CHAPTER 10 ASSESSMENT


CHAPTER 11 Mobile Forensics


Cellular Device Concepts


Terms


Operating Systems


The BlackBerry


What Evidence You Can Get from a Cell Phone


Types of Investigations


Phone states


Seizing Evidence from a Mobile Device


The iPhone


BlackBerry


JTAG


CHAPTER SUMMARY


KEY CONCEPTS AND TERMS


CHAPTER 11 ASSESSMENT


CHAPTER 12 Performing Network Analysis Network Packet Analysis


Network Packets


Network Attacks


Network Traffic Analysis Tools


Network Traffic Analysis


Using Log Files as Evidence


Wireless


Router Forensics


Router Basics


Types of Router Attacks


Getting Evidence from the Router


Firewall Forensics


Firewall Basics


Collecting Data


CHAPTER SUMMARY


KEY CONCEPTS AND TERMS


CHAPTER 12 ASSESSMENT


PART III Incident Response and Resources


CHAPTER 13 Incident and Intrusion Response Disaster Recovery


Incident Response Plan


Incident Response


Preserving Evidence


Adding Forensics to Incident Response


Forensic Resources


Forensics and Policy


CHAPTER SUMMARY


KEY CONCEPTS AND TERMS


CHAPTER 13 ASSESSMENT


CHAPTER 14 Trends and Future Directions Technical Trends


What Impact Does This Have on


Forensics?


Software as a Service


The Cloud


What Impact Does Cloud Computing Have


on Forensics?


Legal and Procedural Trends


Changes in the Law


The USA Patriot Act


Private Labs


International Issues


Techniques


CHAPTER SUMMARY


KEY CONCEPTS AND TERMS


CHAPTER 14 ASSESSMENT


CHAPTER 15 System Forensics Resources


Tools to Use


ASR Data Acquisition & Analysis


AccessData Forensic Toolkit


OSForensics


ComputerCOP


Digital Detective


Digital Intelligence


Disk Investigator


EnCase


X-Ways Software Technology AG


Other Tools


Resources


International Association of Computer


Investigative Specialists


EnCase Certified Examiner Certification


AccessData Certified Examiner


Certified Hacking Forensic Investigator


Certified Cyber Forensics Professional


SANS Institute


American Academy of Forensic Sciences


Websites


Journals


Conferences


Laws


The USA Patriot Act


The Electronic Communications Privacy


Act of 1986


The Communications Assistance to Law


Enforcement Act of 1996


The Health Insurance Portability and


Accountability Act of 1996


CHAPTER SUMMARY


KEY CONCEPTS AND TERMS


CHAPTER 15 ASSESSMENT


APPENDIX A Answer Key


APPENDIX B Standard Acronyms


Glossary of Key Terms


References


Index


Preface Purpose of This Book This book is part of the Information Systems Security & Assurance Series from Jones & Bartlett Learning (www.jblearning.com). Designed for courses and curriculums in IT Security, Cybersecurity, Information Assurance, and Information Systems Security, this series features a comprehensive, consistent treatment of the most current thinking and trends in this critical subject area. These titles deliver fundamental information security principles packed with real-world applications and examples. Authored by Certified Information Systems Security Professionals, they deliver comprehensive information on all aspects of information security. Reviewed word-for-word by leading technical experts in the field, these books are not just current, but forward-thinking—putting you in the position to solve the cybersecurity challenges not just of today, but of tomorrow as well.


Computer crimes call for forensics specialists— people who know how to find and follow the


http://www.jblearning.com

evidence. But even aside from criminal investigations, incident response requires forensic skills. This book begins by examining the fundamentals of system forensics: what forensics is, an overview of computer crime, the challenges of system forensics, and forensics methods and labs. The second part of this book addresses the tools, techniques, and methods used to perform computer forensics and investigation. These include collecting evidence, investigating information hiding, recovering data, and scrutinizing email. It also discusses how to perform forensics in the Windows, Linux, and Macintosh operating systems; on mobile devices; and on networks. Finally, the third part explores incident and intrusion response, emerging technologies and future directions of this field, and additional system forensics resources.


Learning Features The writing style of this book is practical and conversational. Each chapter begins with a statement of learning objectives. Step-by-step examples of information security concepts and procedures are presented throughout the text. Illustrations are used both to clarify the material and to vary the presentation. The text is sprinkled with Notes, Tips, FYIs, Warnings, and sidebars to alert the reader to additional helpful information related to the subject under discussion. Chapter assessments appear at the end of each chapter, with solutions provided in the back of the book.


Chapter summaries are included in the text to provide a rapid review or preview of the material and to help students understand the relative importance of the concepts presented.


Audience The material is suitable for undergraduate or graduate computer science majors or information science majors, students at a 2-year technical college or community college who have a basic technical background, or readers who have a basic understanding of IT security and want to expand their knowledge.


This book is dedicated to all the forensic analysts who work diligently to extract the evidence necessary to find the truth in criminal and civil cases.


About the Author Chuck Easttom is an internationally renowned computer security expert and trainer. He has been in the IT industry for more than 25 years and has been training for more than 15. He routinely conducts computer security and forensics training for civilian companies, law enforcement, government agencies, and friendly foreign governments. He holds more than 40 industry certifications, including several forensics certifications such as: Certified Cyber Forensics Professional (CCFP), Certified Hacking Forensic Investigator (CHFI), Certified Criminal Investigator (CCI), Access Certified Examiner (ACE), Oxygen Certified Examiner, Certified Forensic Consultant (CFC), and others. He has served as an expert witness in U.S. court cases since 2004, and has extensive courtroom experience. He also has extensive hands-on experience conducting forensic examinations as part of both criminal investigations and incident response.


Chuck created the OSForensics certification (OSFCE) course and test. He is an associate member of the American Academy of Forensics. Chuck is a frequent speaker at universities and conferences. He has been a speaker at Columbia University’s ACM Chapter, Harvard Computer Society, (ISC) Security Congress, SecureWorld, Hakon India, Hakon Africa, Defcon, Enfuse, IAFLS, AAFS, ADFSL, and many other conferences. You can visit the author’s website at www.chuckeasttom.com.


2


http://www.chuckeasttom.com

PART I: Introduction to Forensics


CHAPTER 1 Introduction to Forensics


CHAPTER 2 Overview of Computer Crime


CHAPTER 3 Forensic Methods and Labs


T CHAPTER 1: Introduction to Forensics


HIS CHAPTER INTRODUCES YOU TO THE FIELD of computer forensics. That means it will cover some legal issues, the basic


concepts of the forensic process, and a review of the basic computer and networking knowledge you will need.


Chapter 1 Topics This chapter covers the following topics and concepts:


What computer forensics is


What you need to know about the field of digital forensics


What you need to know for computer forensics analysis


What the Daubert standard is


What the relevant laws are


What the federal guidelines are


Chapter 1 Goals When you complete this chapter, you will be able to:


Understand the basic concepts of forensics


Maintain the chain of custody


Understand basic hardware and networking knowledge needed for forensics


Know the basic laws related to computer forensics


What Is Computer Forensics? Before you can answer the question, “What is computer forensics?” you should address the question, “What is forensics?” The American Heritage Dictionary defines forensics as “the use of science and technology to investigate and establish facts in criminal or civil courts of law.”


Essentially, forensics is the use of science to process evidence so you can establish the facts of a case. The individual case being examined could be criminal or civil, but the process is the same. The evidence has to be examined and processed in a consistent scientific manner. This is to ensure that the evidence is not accidentally altered and that appropriate conclusions are derived from that evidence.


You have probably seen some crime drama wherein forensic techniques were a part of the investigative process. In such dramas, a bullet is found and forensics is used to determine the gun that fired the bullet. Or, perhaps a drop of blood is found and forensics is used to match the DNA to a suspect. These are all valid aspects of forensics. However, our modern world is full of electronic devices with the capacity to store data. The extraction of that data in a consistent scientific manner is the subject of computer forensics.


The Computer Emergency Response Team (CERT) defines computer forensics in this manner:


Forensics is the process of using scientific knowledge for collecting, analyzing, and presenting evidence to the courts.… Forensics deals primarily with the recovery and analysis of latent evidence. Latent evidence can take many forms, from fingerprints left on a window to DNA evidence recovered from blood stains to the files on a hard drive.


According to the website Computer Forensics World:


Generally, computer forensics is considered to be the use of analytical and investigative techniques to identify, collect, examine and preserve evidence/information which is magnetically stored or encoded.


The objective in computer forensics is to recover, analyze, and present computer-based material in such a way that it can be used as evidence in a court of law. In computer forensics, as in any other branch of forensic science, the emphasis must be on the integrity and security of evidence. A forensic specialist must adhere to stringent guidelines and avoid taking shortcuts.


Any device that can store data is potentially the subject of computer forensics. Obviously, that includes devices such as network servers, personal computers, and laptops.


It must be noted that computer forensics has expanded. The topic now includes cell phone forensics, router forensics, global positioning system


(GPS) device forensics, tablet forensics, and forensics of many other devices. The term digital forensics is a more encompassing term that includes all of these devices. Regardless of the term you use, the goal is the same: to apply solid scientific methodologies to a device in order to extract evidence for use in a court proceeding.


Although the subject of computer forensics, as well as the tools and techniques used, is significantly different from traditional forensics—like DNA analysis and bullet examination—the goal is the same: to obtain evidence that can be used in some legal proceeding. Computer forensics applies to all the domains of a typical IT infrastructure, from the User Domain and Remote Access Domain to the Wide Area Network (WAN) Domain and Internet Domain (see FIGURE 1-1).


FIGURE 1-1 The seven domains of a typical IT infrastructure.


Consider some elements of the preceding definitions. In particular, let’s look at this sentence: “Forensics is the process of using scientific knowledge for collecting, analyzing, and presenting evidence to the courts.” Each portion of this is critical, and the following sections of this chapter examine each one individually.


Using Scientific Knowledge


First and foremost, computer forensics is a science. This is not a process based on your “gut feelings” or personal whim. It is important to understand and apply scientific methods and processes. It is also important that you have knowledge of the relevant scientific disciplines. That also means you must have scientific knowledge of the field. Computer forensics begins with a thorough understanding of computer hardware. Then you need to understand the operating system running on that device; even smartphones and routers have operating systems. You must also understand at least the basics of computer networks.


If you attempt to master forensics without this basic knowledge, you are not likely to be successful. Now if you find yourself starting in on a course and are not sure if you have the requisite knowledge, don’t panic. First, you simply need a basic knowledge of computers and computer networks. If you have taken a couple of basic computer courses at a college or perhaps the CompTIA A+ certification, you have the baseline knowledge. Also, you will get a review of some basic concepts in this chapter.


However, the more you know about computers and networks, the better you will be at computer forensics. There is no such thing as “knowing too much.” Even though some technical details change quickly, such as the capacity and materials of hard disks, other details change very slowly, if at all, such as the various file systems, the role of volatile and nonvolatile memory, and the fact that criminals take


advantage of the advancements in computer and digital technology to improve their lives as much as the businessman, student, or homeowner. A great deal of information is stored in computers. Keep learning what is there, where it is stored, and how that information may be used by computer user and computer criminal alike.


Collecting Before you can do any forensic analysis or examination, you have to collect the evidence. There are very specific procedures for properly collecting evidence. You will be introduced to some general guidelines later in this chapter. The important thing to realize for now is that how you collect the evidence determines if that evidence is admissible in a court.


Analyzing This is one of the most time-consuming parts of a forensic investigation, and it can be the most challenging. Once you have collected the data, what does it mean? The real difference between a mediocre investigator and a star investigator is the analysis. The data is there, but do you know what it means? This is also related to your level of scientific knowledge. If you don’t know enough, you may not see the significance of the data you have.


You also have to be able to solve puzzles. That is, in essence, what any forensic investigation is. It is solving a complex puzzle—putting together the data you have and finding out what sort of picture is


revealed. You might try to approach a forensic investigation like Sherlock Holmes. Look at every detail. What does it mean? Before you jump to a conclusion, how much evidence do you have to support that conclusion? Are there alternatives and, in fact, better explanations for the data?


Presenting Once you have finished your investigation, done your analysis, and obeyed all the rules and guidelines, you still have one more step. You will have to present that evidence in one form or another. The two most basic forms are the expert report and expert testimony. In either case, it will be your job to interpret the arcane and seemingly impenetrable technical information using plain English that paints an accurate picture for the court. You must not use jargon and technobabble. Your clear use of language, and potentially graphics and demonstrations, if needed, may be the difference between a big win and a lost case. So you should take a quick look at each of these.


WARNING


Court procedures vary from jurisdiction to jurisdiction, but in most cases an expert cannot directly testify about anything not in his or her expert report. That is why it is critical to be thorough and to put into the


report anything you feel might be pertinent to the case. In your work as an expert witness, you will often find additional items in an investigation—items that are peripheral to the main case. If you put those in your report, however, you will be able to testify about them at trial.


The Expert Report An expert report is a formal document that lists what tests you conducted, what you found, and your conclusions. It also includes your curriculum vitae (CV), which is like a résumé, only much more thorough and specific to your work experience as a forensic investigator. Specific rules will vary from court to court, but as a general rule, if you don’t put it in your report, you cannot testify about it at trial. So you need to make very certain that your report is thorough. Put in every single test you used, every single thing you found, and your conclusions. Expert reports tend to be rather long.


It is also important to back up your conclusions. As a general rule, it’s good to have at least two to three references for every conclusion. In other words, in addition to your own opinion, you want to have a few reputable references that either agree with that conclusion or provide support for how you came to that conclusion. This way, it is not just your expert opinion, but it is supported by other reputable sources. Make sure you use reputable sources; for


example, CERT, the Federal Bureau of Investigation (FBI), the Secret Service, and the Cornell University Law School are all very reputable sources.


The reason for this is that in every legal case there are two sides. The opposing side will have an attorney and perhaps its own expert. The opposing attorney will want to pick apart every opinion and conclusion you have. If there is an opposing expert, he or she will be looking for alternative interpretations of the data or flaws in your method. You have to make sure you have fully supported your conclusions.


It should be noted that the length and level of detail found in reports varies. In many cases, criminal courts won’t require a formal expert report, but rather a statement from the attorney as to who you are and what topics you intend to testify about. You will need to produce a report of your forensic examination. In civil court, particularly in intellectual property cases, the expert report is far more lengthy and far more detailed. In my own experience, reports of 100, 200, or more pages are common. The largest I have seen yet was over 1500 pages long.


Although not all cases will involve a full, detailed expert report, many will, particularly intellectual property cases. There are few legal guidelines on expert report writing, but a few issues have become clear in my experience.


Expert reports generally start with the expert’s qualifications. This should be a complete curriculum


vitae detailing education, work history, and publications. Particular attention should be paid to elements of the expert’s history that are directly related to the case at hand. Then the report moves on to the actual topic at hand. An expert report is a very thorough document. It must first detail exactly what analysis was used. How did the expert conduct his or her examination and analysis? In the case of computer forensics, the expert report should detail what tools the expert used, what the results were, and the conditions of the tests conducted. Also, any claim an expert makes in a report should be supported by extrinsic reputable sources. This is sometimes overlooked by experts because they themselves are sources who are used, or because the claim being made seems obvious to them. For example, if an expert report needs to detail how domain name service (DNS) works in order to describe a DNS poisoning attack, then there should be references to recognized authoritative works regarding the details of domain name service. If they are not included, at trial a creative attorney can often extract nontraditional meanings from even commonly understood terms.


The next issue with an expert report is its completeness. The report must cover every item the expert wishes to opine on, and in detail. Nothing can be assumed. In some jurisdictions, if an item is not in the expert report, then the expert is not allowed to discuss it during testimony. Whether or not that is the case in your jurisdiction, it is imperative that the expert report you submit is very thorough and


complete. And of course, it must be error-free. Even the smallest error can give opposing counsel an opportunity to impugn the accuracy of the entire report and the expert’s entire testimony. This is a document that should be carefully proofread by the expert and by the attorney retaining the expert.


Expert Testimony As a forensic specialist, you will testify as an expert witness, that is, on the basis of scientific or technical knowledge you have that is relevant to a case, rather than on the basis of direct personal experience. Your testimony will be referred to as expert testimony, and there are two scenarios in which you give it: a deposition and a trial. A deposition—testimony taken from a witness or party to a case before a trial—is less formal, and is typically held in an attorney’s office. The other side’s lawyer gets to ask you questions. In fact, the lawyer can even ask some questions that would probably be disallowed by a trial judge. But do remember, this is still sworn testimony, and lying under oath is perjury, which is a felony.


U.S. Federal Rule 702, Testimony by Expert Witnesses, defines what an expert is and what expert testimony is:


A witness who is qualified as an expert by knowledge, skill, experience, training, or education may testify in the form of an opinion or otherwise if:


a. the expert’s scientific, technical, or other specialized knowledge will help the trier of fact to understand the evidence or to determine a fact in issue;


b. the testimony is based on sufficient facts or data;


c. the testimony is the product of reliable principles and methods; and


d. the expert has reliably applied the principles and methods to the facts of the case.


This definition is very helpful. Regardless of your credentials, did you base your conclusions on sufficient facts and data? Did you apply reliable scientific principles and methods in forming your conclusions? These questions should guide your forensic work.


During a deposition, the opposing counsel has a few goals. The first goal is to find out as much as possible about your position, methods, conclusions, and even your side’s legal strategy. It is important to answer honestly but as briefly as possible. Don’t volunteer information unasked. That simply allows the other side to be better prepared for trial. The second thing a lawyer is looking for during a deposition is to get you to commit to a position you may not be able to defend later. So follow a few rules:


1


If you don’t fully understand the question, say so. Ask for clarification before you answer.


If you really don’t know, say so. Do not ever guess.


If you are not 100 percent certain of an answer, say so. Say “to the best of my current recollection” or something to that effect.


The other way you may testify is at trial. The first thing you absolutely must understand is that the first time you testify, you will be nervous. You’ll begin to wonder if you are properly prepared. Are your conclusions correct? Did you miss anything? Don’t worry; each time you do this, it gets easier. Next, remember that the opposing counsel, by definition, disagrees with you and wants to trip you up. It might be helpful to remind yourself, “The opposing counsel’s default position is that I am both incompetent and a liar.” Now that is a bit harsh, and probably an overstatement, but if you start from that premise you will be prepared for the opposing counsel’s questions. Don’t be too upset if he or she is trying to make you look bad. It is not personal.


The secret to deposition and trial testimony is simple: Be prepared. You should not only make certain your forensic process is done correctly and well documented, including liberal use of charts, diagrams, and other graphics, but also prepare before you testify. Go over your report and your notes again. Often, your attorney will prep you, particularly if you have never testified before. Try to look objectively at your own report to see if there is


anything the opposing counsel might use against you. Are there alternative ways to interpret the evidence? If so, why did you reject them?


The most important things on the stand are to keep calm and tell the truth. Obviously, any lie, even a very minor one that is not directly related to your investigation, would be devastating. But becoming agitated or angry on the stand can also undermine your credibility.


In addition to U.S. Federal Rule 702, there are several other U.S. Federal Rules related to expert witness testimony at trial. They are listed and very briefly described here:


Rule 703, Admissibility of Facts: An expert may base an opinion on facts or data that the expert has been made aware of or personally observed. If experts in the particular field would reasonably rely on those kinds of facts or data in forming an opinion on the subject, they need not be admissible for the opinion to be admitted. But if the facts or data would otherwise be inadmissible, the proponent of the opinion may disclose them to the jury only if their probative value in helping the jury evaluate the opinion substantially outweighs their prejudicial effect.


Rule 704, Opinion on Ultimate Issue: An opinion is not objectionable just because it embraces an ultimate issue. In other words, an expert witness can, in many cases, offer an opinion as to the ultimate issue in a case.


Rule 705, Disclosing Underlying Facts for Opinion: Unless the court orders otherwise, an expert may state an opinion—and give the reasons for it—without first testifying to the underlying facts or data. But the expert may be required to disclose those facts or data on cross- examination. Essentially, the expert can state his or her opinion without first giving the underlying facts, but should expect to be questioned on those facts at some point.


Rule 706, Court-Appointed Expert: This rule covers the appointment of a neutral expert to advise the court. Such experts are not working for the plaintiff or the defendant, but rather for the court.


Rule 401, Relevance of Evidence: Evidence is relevant if: (a) it has any tendency to make a fact more or less probable than it would be without the evidence; and (b) the fact is of consequence in determining the action.


Understanding the Field of Digital Forensics


The field of digital forensics is changing very rapidly. First and foremost, standards are emerging. This means there are clearly defined ways of properly doing forensics. When computer forensics first began, most investigations were conducted according to the whim of the investigator rather than through a standardized methodology. But as the field has matured, it has also standardized. Today, there are clear, codified methods for conducting a forensic examination.


Another change is in who is doing forensics. At one time, all forensics, including computer forensics, was the exclusive domain of law enforcement. That is no longer the case. Today, the following entities are also involved in and actively using computer forensics:


The military: The military uses digital forensics to gather intelligence information from computers captured during military actions.


Government agencies: Government agencies use digital forensics to investigate crimes involving computers. These agencies include the FBI, U.S. Postal Inspection Service, Federal Trade Commission, U.S. Food and Drug Administration, and U.S. Secret Service. They also include the U.S. Department of Justice’s National Institute of Justice (NIJ), the National


Institute of Standards and Technology (NIST), the Office of Law Enforcement Standards (OLES), the Department of Homeland Security, and foreign government agencies, among others.


Law firms: Law firms need experienced system forensics professionals to conduct investigations and testify as expert witnesses. For example, civil cases can use records found on computer systems that bear on cases involving fraud, divorce, discrimination, and harassment.


Criminal prosecutors: Criminal prosecutors use digital evidence when working with incriminating documents. They try to link these documents to crimes such as drug trafficking, embezzlement, financial fraud, homicide, and child pornography.


Academia: Academia is involved with forensic research and education. For example, many universities offer degrees in digital forensics and online criminal justice.


Data recovery firms: Data recovery firms use digital forensics techniques to recover data after hardware or software failures and when data has been lost.


Corporations: Corporations use digital forensics to assist in employee termination and prosecution. For example, corporations sometimes need to gather information concerning theft of intellectual property or trade secrets, fraud, embezzlement, sexual harassment, and network and computer


intrusions. They also need to find evidence of unauthorized use of equipment, such as computers, fax machines, answering machines, voicemail systems, smartphones, and tablets.


Insurance companies: Insurance companies use digital evidence of possible fraud in accident, arson, and workers’ compensation cases.


Individuals: Individuals sometimes hire forensic specialists in support of possible claims. These cases may include, for example, wrongful termination, sexual harassment, or age discrimination.


What Is Digital Evidence? Information includes raw numbers, pictures, and a vast array of other data that may or may not have relevance to a particular event or incident under investigation. Digital evidence is information that has been processed and assembled so that it is relevant to an investigation and supports a specific finding or determination. Put another way, all the raw information is not, in and of itself, evidence. First and foremost, data has to be relevant to a case in order to be evidence.


Investigators must carefully show an unbroken chain of custody to demonstrate that evidence has been protected from tampering. The chain of custody is the continuity of control of evidence that makes it possible to account for all that has happened to evidence between its original collection and its appearance in court, preferably unaltered. If forensic


specialists can’t demonstrate that they have maintained the chain of custody, then the court may consider all their conclusions invalid.


Courts deal with four types of evidence:


Real: Real evidence is a physical object that someone can touch, hold, or directly observe. Examples of real evidence are a laptop with a suspect’s fingerprints on the keyboard, a hard drive, a universal serial bus (USB) drive, or a handwritten note.


Documentary: Documentary evidence is data stored as written matter, on paper or in electronic files. Documentary evidence includes memory- resident data and computer files. Examples are email messages, logs, databases, photographs, and telephone call-detail records. Investigators must authenticate documentary evidence.


Testimonial: Testimonial evidence is information that forensic specialists use to support or interpret real or documentary evidence. For example, they may employ testimonial evidence to demonstrate that the fingerprints found on a keyboard are those of a specific individual. Or system access controls might show that a particular user stored specific photographs on a desktop.


Demonstrative: Demonstrative evidence is information that helps explain other evidence. An example is a chart that explains a technical concept to the judge and jury. Forensic


specialists must often provide testimony to support the conclusions of their analyses. For example, a member of an incident response team might be required to testify that he or she identified the computer program that deleted customer records at a specified date and time. In such a case, the testimony must show how the investigator reached his or her conclusion. The testimony must also show that the specialist protected the information used in making the determination from tampering; that is, the testimony must show that the forensic investigator maintained the chain of custody. It must also show that the testifier based his or her conclusion on a reasonable, although not necessarily absolute, interpretation of the information. Further, the forensic specialist must present his or her testimony in a manner that avoids use of technical jargon and complex technical discussions and should use pictures, charts, and other graphics when helpful. Judges, juries, and lawyers aren’t all technical experts. Therefore, a forensic specialist should translate technology into understandable descriptions. Pictures often communicate better than just numbers and words, so a forensic specialist may want to create charts and graphs.


Scope-Related Challenges to System Forensics The scope of a forensic effort often presents not just an analytical challenge, but also a psychological


challenge. Information systems collect and retain large volumes of data. They store this data in a dizzying array of applications, formats, and hardware components. In completing an analysis, forensic specialists face variations in the following:


The volume of data to be analyzed


The complexity of the computer system


The size and character of the crime scene, which might involve a network that crosses U.S. and foreign jurisdictions


The size of the caseload and resource limitations


Forensic specialists must be prepared to quickly complete an analysis regardless of these factors. The following sections discuss these factors in more detail.


Large Volumes of Data Digital forensics is useful in identifying and documenting evidence. It is a disciplined approach that looks at the entire physical media, such as a hard disk drive, for all information representations. A system forensics specialist has access to all the information contained on a device—not just what the end user sees. A forensic analyst also examines metadata, which is data about information, such as disk partition structures and file tables. Metadata also includes file creation and modification times. Who authored a file and when it was revised or updated are also important pieces of metadata for a forensic analyst to document. An analyst also examines the often-critical unused areas of the


media where information might be hidden. Examining all areas of potential data storage and examining all potential data representations generates extremely large volumes of information. A forensic specialist must analyze, store, and control all this information for the full duration of the investigation and analysis.


The total amount of information that is potentially relevant to a case offers a challenge to forensic analysts. Hard drives well in excess of 1 terabyte are quite common today. In fact, one can purchase a 4- terabyte drive for under $150 at any electronics store. While writing this chapter for the third edition of the book, I came across an advertisement from a popular electronics store for an 8-terabyte external drive for $230. When working with such large volumes, a forensic specialist must do the following:


Ensure that his or her equipment is capable of manipulating large volumes of information quickly.


Provide for duplicate storage so that the original media and its resident information are preserved and protected against tampering and other corruption.


Create backups early and often to avoid losing actual information and its associated metadata.


Document everything that is done in an investigation and maintain the chain of custody.


In addition to all these tasks, a forensic specialist must work within the forensic budget. Manipulating


and controlling large volumes of information is expensive. An investigator should show how budget cost items contribute to the analysis and to maintaining the chain of custody. Resource limitations increase the potential for analysis error and may compromise the analysis. For example, a forensic analyst may need to explain how the addition of data custodians or additional hard drives can multiply costs.


System Complexity Modern computer systems can be extremely complex. This is not just a matter of the aforementioned size of storage, but also the wide array of data and formats. Digital devices use multiple file formats, including Adobe Portable Document Format (PDF) files, Microsoft Word (DOC and DOCX) documents, Microsoft Excel spreadsheets (XLS and XLSX), video files (AVI, MOV, etc.), and image files (JPEG, GIF, BMP, TIFF, etc.), to name just a few. This does not even take into account formats of information “in motion” such as Voice over IP (VoIP), instant messaging protocols, real-time video broadcasts, or two-way conferences. These systems connect to and share data with other systems that may be located anywhere in the world. In addition, the law may protect specific items and not others. No single forensic software application can deal with all the complexity.


Forensic specialists must use a set of software and hardware tools and supporting manual procedures.


Further, a forensic specialist must build a case to support his or her interpretation of the “story” told by the information being analyzed. The specialist, therefore, must have an understanding of all digital information and its associated technology. The specialist should also be able to show corroboration that meets the traditional legal evidence tests. Specific tests of legal evidence can vary from venue to venue and from jurisdiction to jurisdiction. There are a few basic tests that apply everywhere, but the chain of custody and the Daubert standard, both of which are discussed in this chapter, are nearly universal.


Individual pieces of information may have more than one possible interpretation. To reach a conclusion and turn raw information into supportable, actionable evidence, a forensic specialist must identify and analyze corroborating information. In other words, it is often the case that a single piece of information is not conclusive. It often takes the examination and correlation of multiple individual pieces of information to reach a conclusion. It is also a common practice for a forensic investigator to use more than one tool to conduct a test. For example, if you utilize one particular tool to recover deleted files, it can be a good idea to use yet another tool to conduct the same test. If two different tools yield the same result, this is compelling evidence that the information gathered is accurate and reliable. However, if the results differ, the forensic analyst has another situation to deal with.


Distributed Crime Scenes Because networks are geographically dispersed, crime scenes may also be geographically dispersed. This creates practical as well as jurisdictional problems. Think about how difficult it is for a U.S. investigator to get evidence out of computers in China, for instance. Criminals take advantage of jurisdictional differences. A criminal may sell fake merchandise via the Internet from a foreign country to Americans in several states. The criminal may then route his or her Internet access, and the associated electronic payments, through several other countries before they reach their final destination.


Digital crime scenes can, and increasingly do, span the globe. Depending on the type of system connectivity and the controls in place, a forensic specialist may have to deal with information stored throughout the world and often in languages other than English. This could involve thousands of devices and network logs. Networks and centralized storage also present challenges because items of interest may not be stored on the target computer.


Gathering evidence from such a geographically far- flung digital crime scene requires the cooperation of local, state, and tribal governments, sometimes multiple national governments, and international agencies in tracking down the criminals and bringing them to justice. If all the governments and agencies do not cooperate with one another, access to


evidence is threatened or denied, and as a result, the investigation may fail.


Growing Caseload and Limited Resources The number of forensic specialists today is too small to analyze every cybercrime. Regardless of the state of the economy, digital forensics specialists can be assured of two things: Their caseload will grow, and their resources will, relative to caseload, become more limited. It is a simple fact that anyone in law enforcement who works in digital crimes has a case backlog, and that backlog is increasing.


The digital forensics analysis workload is growing and will continue to grow as computers and related digital devices are used more and in different ways in the commission of crimes. Driving this growth is the increasing use of technology in all aspects of modern life, not just in support of business objectives. Criminals utilize technology not only to conduct crimes, but also, in some cases, to hide the evidence. Forensic tools can also be used by criminals to eradicate evidence as easily as they can be used by investigators to locate, analyze, and catalog evidence.


Types of Digital System Forensics Analysis Today, digital system forensics includes a number of specialties. The following are some examples:


Disk forensics: The process of acquiring and analyzing information stored on physical storage media, such as computer hard drives,


smartphones, GPS systems, and removable media. Disk forensics includes both the recovery of hidden and deleted information and the process of identifying who created a file or message.


Email forensics: The study of the source and content of email as evidence. Email forensics includes the process of identifying the sender, recipient, date, time, and origination location of an email message. You can use email forensics to identify harassment, discrimination, or unauthorized activities. There is also a body of laws that deals with retention and storage of emails that are specific to certain fields, such as financial and medical.


Network forensics: The process of examining network traffic, including transaction logs and real-time monitoring using sniffers and tracing, is known as network forensics.


Internet forensics: The process of piecing together where and when a user has been on the Internet. For example, you can use Internet forensics to determine whether inappropriate Internet content access and downloading were accidental.


Software forensics: The process of examining malicious computer code is known as software forensics; it is also known as malware forensics.


Live system forensics: The process of searching memory in real time, typically for working with


compromised hosts or to identify system abuse, is live system forensics.


Cell-phone forensics: The process of searching the contents of cell phones is called cell-phone forensics. A few years ago, this was just not a big issue, but with the ubiquitous nature of cell phones today, cell-phone forensics is a very important topic. A cell phone can be a treasure trove of evidence. Modern cell phones are essentially computers with processors, memory, even hard drives and operating systems, and they operate on networks. Phone forensics also includes VoIP and traditional phones, and it may involve the Foreign Intelligence Surveillance Act of 1978 (FISA), the USA Patriot Act, and the Communications Assistance for Law Enforcement Act (CALEA) in the United States.


Each of these types of forensic analysis requires specialized skills and training.


General Guidelines Later in this chapter you will read about specific federal guidelines, but you should keep a few general principles in mind when doing any forensic work, as discussed in the following sections.


Chain of Custody This is the most important principle in any forensic effort, digital or nondigital. The chain of physical custody must be maintained. From the time the evidence is first seized by a law enforcement officer or civilian investigator until the moment it is shown in


court, the whereabouts and custody of the evidence, and how it was handled and stored and by whom, must be able to be shown at all times. Failure to maintain proper chain of custody can lead to evidence being excluded from trial.


Don’t Touch the Suspect Drive One very important principle is to touch the system as little as possible. It is possible to make changes to the system in the process of examining it, which is very undesirable. Obviously, you have to interact with the system to investigate it. The answer is to make a forensic copy and work with that copy. You can make a forensic copy with most major forensic tools such as AccessData’s Forensic Toolkit, Guidance Software’s EnCase, or Pass-Mark’s OSForensics. There are also open-source software products that allow copying of original source information. To be safe, make a copy and analyze the copy.


There are times, however, when you will need to interact directly with live evidence. For example, when a computer is first discovered, you will want to do an initial analysis to determine running processes and connections, before you make an image. You may also need to perform live forensics in certain situations, such as some cloud computing environments. We will discuss these as we encounter them in this book.


Document Trail


The next issue is documentation. The rule is that you document everything. Who was present when the device was seized? What was connected to the device or showing on the screen when you seized it? What specific tools and techniques did you use? Who had access to the evidence from the time of seizure until the time of trial? All of this must be documented. And when in doubt, err on the side of over documentation. It really is not possible to document too much information about an investigation.


Secure the Evidence It is absolutely critical to the integrity of your investigation as well as to maintaining the chain of custody that you secure the evidence. It is common to have the forensic lab be a locked room with access given only to those who must enter. Then, evidence is usually secured in a safe, with access given out only on a need-to-know basis. You have to take every reasonable precaution to ensure that no one can tamper with the evidence.


Knowledge Needed for Computer Forensics Analysis


To conduct computer forensics, a certain background body of knowledge is required, just as with traditional forensics. For example, you cannot examine DNA without some basic education in blood and genetics. This applies to computer forensics as well. You must have an understanding of the systems you are examining in order to successfully examine them.


This chapter assumes that you have a basic understanding of computer hardware, software, and operating systems. This section briefly discusses the highlights of these areas that you need to know. If you find you are lacking in one or more areas, you should take some time to brush up on these topics before continuing. For many readers, these items will be a review; for others, some information may be new. If this is new information for you, bear in mind that this is the absolute minimum of knowledge. The more you know about the underlying technology, the more effective you will be.


Hardware In general, the good digital forensics examiners begin with a working knowledge of the hardware for the devices they want to examine. For PCs and laptops, this includes knowledge equivalent to the CompTIA A+ certification or a basic PC hardware course. If you are doing phone or router forensics,


you need a similar level of knowledge of the hardware on those devices.


For PCs, this means a strong understanding of hard drives, memory, motherboards, and expansion cards. What exactly is a “strong understanding”? Think about random access memory (RAM). You are probably aware that RAM is volatile memory and it stores the programs and data you currently have open, but only for as long as the computer has power supplied to it. However, that level of knowledge is inadequate for forensics. A forensic examiner needs to go much deeper and understand the various types of RAM, how they work, the type of information that is contained in each, and how the computer uses them.


Random Access Memory RAM can be examined in multiple ways. One way is to look at the method whereby information is written to and read from RAM. These are presented in sequential order from older to newer technologies:


Extended data output dynamic random access memory (EDO DRAM): Single-cycle EDO has the ability to carry out a complete memory transaction in one clock cycle. Otherwise, each sequential RAM access within the same page takes two clock cycles instead of three, once the page has been selected.


Burst EDO (BEDO) DRAM: An evolution of the EDO, burst EDO DRAM can process four memory addresses in one burst.


Asynchronous dynamic random access memory (ADRAM): ADRAM is not synchronized to the CPU clock.


Synchronous dynamic random access memory (SDRAM): SDRAM is a replacement for EDO.


Double data rate (DDR) SDRAM: DDR SDRAM was a later development of SDRAM. DDR2, DDR3, and DDR4 are now available.


SDRAM and, more specifically, DDR3 and DDR4, are the most common forms of RAM found in PCs and laptops.


Another way to look at RAM, one that is particularly important from a forensic point of view, is to consider the volatility of the data stored. Volatility refers to how easily the data can be changed, either intentionally or unintentionally.


Random access memory (RAM): This is what most people think of when they say memory. It is quick to write to and read from. The memory is volatile, meaning as soon as power is discontinued, the data is gone.


Read-only memory (ROM): As the name suggests, this is not at all volatile; it cannot be changed. This is usually used for instructions embedded in chips and controls how the computer, option cards, peripherals, and other devices operate.


Programmable ROM (PROM): PROM can be programmed only once. Data is not lost when power is removed.


Erasable programmable ROM (EPROM): Data is not lost when power is removed. Again, this is a technique for storing instructions on chips.


Electronically erasable programmable ROM (EEPROM): This is how the instructions in your computer’s BIOS are stored.


Hard Drives A forensic specialist must also understand the following storage devices. The descriptions given here are for various types of connectors. The drives themselves are the same, but the method of attaching the drive, as well as the speed and efficiency of getting data to and from the drive, differ.


Small Computer System Interface (SCSI): This has been around for many years, and is particularly popular in high-end servers. This standard is actually fairly old—it was established in 1986. SCSI devices must have a terminator at the end of the chain of devices to work and are limited to 16 chained devices.


Integrated Drive Electronics (IDE): This is an older standard but one that was commonly used on PCs for many years. It is obvious you are dealing with an IDE or EIDE drive if you encounter a 40-pin connector on the drive.


Enhanced Integrated Drive Electronics (EIDE): This is an extension/enhancement of IDE.


Parallel Advanced Technology Attachment (PATA): Parallel ATA is an enhancement of IDE. It


uses either a 40-pin (like IDE) or 80-pin connector.


Serial Advanced Technology Attachment (SATA): This is what you are most likely to find today. These devices are commonly found in workstations and many servers. The internals of the hard drive are very similar to IDE and EIDE; it is the connectivity to the computer’s motherboard that is different. Also, unlike IDE or EIDE drives, this type of drive has no jumpers to set the drive.


Serial SCSI: This is an enhancement of SCSI. It supports up to 65,537 devices and does not require termination.


Solid-state drives (SSDs): These are becoming more common, so it’s worthwhile to discuss them in a bit more detail. Unlike the previously discussed drive types, these are not the same basic hard drive. These drives have an entirely different construction and method of storing data. SSDs use microchips that retain data in nonvolatile memory chips and contain no moving parts. As of 2010, most SSDs use negated AND gate (NAND)-based flash memory, which retains memory even without power. Solid-state drives do not benefit from defragmentation. Any defragmentation process adds additional writes on the NAND flash, which already has a limited life cycle. High-performance flash-based SSDs generally require one-half to one-third the power of hard disk drives (HDDs); high-performance DRAM SSDs generally require as much power


as HDDs, and consume power when the rest of the system is shut down.


All of these, except for solid state, refer to how the hard drive connects to the motherboard and transfers data, and do not define how information is stored on the disk. For all but solid state, the following hard drive facts apply.


HDDs record data by magnetizing ferromagnetic material directionally, to represent either a 0 or a 1 binary digit. The magnetic data is stored on platters; the platters are organized on a spindle with a read/write head reading and writing data to and from the platters. The data is organized as follows:


A sector is the basic unit of data storage on a hard disk, which is usually 512 bytes. However, newer systems often use a 4096-byte sector size.


A cluster is a logical grouping of sectors. Clusters can be 1 to 128 sectors in size. That means 512 bytes up to 64 kilobytes (KB). The minimum size a file can use is one cluster. If the file is less than the size of a cluster, the remaining space is simply unused.


Sectors are, in turn, organized by tracks.


That is a basic description of most hard drives (with the exception of solid-state drives). Forensic examiners should know the following terms, which are used with all hard drives:


Drive geometry: This term refers to the functional dimensions of a drive in terms of the number of


heads, cylinders, and sectors per track.


Slack space: This is the space between the end of a file and the end of the cluster, assuming the file does not occupy the entire cluster. This is space that can be used to hide data.


Low-level format: This creates a structure of sectors, tracks, and clusters.


High-level format: This is the process of setting up an empty file system on the disk and installing a boot sector. This is sometimes referred to as a quick format.


Software Once you have a basic understanding of hardware, the next step is to learn about the software, and this begins with the operating system. It is imperative that you have a strong working knowledge of the operating system running on the device you want to examine.


Windows There’s a lot to know about Windows, but for now, here’s a basic overview of how it works. The heart of Windows is the Windows Registry. The Windows Registry is essentially a repository of all settings, software, and parameters for Windows. If new software is installed, the Registry is updated to indicate the new software. If the background color of the desktop is changed, the Registry is updated to indicate the new color. From this Registry, you can get all kinds of information, including the password for wireless networks and the serial numbers for all


USB devices that have been connected to that computer. This is really the most important part of Windows from both a technical-support and a forensic point of view.


Windows also has other interesting places to look for forensic evidence. There are certain folders and files —the index.dat file, for instance—that are great places to find evidence. Even browser cookies and history can be useful. Given that Windows is such a common operating system, it is advisable to be very familiar with Windows.


Linux Linux is particularly interesting from a forensic point of view. Even though it is not as widely used as Windows, it is a favorite in the security and forensics community. You will find that a lot of free forensic tools come with Linux. In fact, one specific Linux distribution called Kali Linux (formerly called BackTrack) has an extensive collection of forensic, security, and hacking tools.


Linux is a UNIX clone, developed originally by Linus Torvalds. There are now well over 100 different distributions, or variations, of Linux. However, all have some commonalities. In the Linux world, work done from the command line, called the shell in Linux, is far more important than it is in Windows.


Macintosh For many years, Apple Macintosh was a complete operating system. However, beginning with OS X, the Macintosh system has been based on FreeBSD,


a UNIX clone very similar to Linux. The graphical user interface is just that, an interface. The underlying operating system is a UNIX-like system.


This means that many forensic techniques you can use on Linux can also be used on Macintosh, from the shell prompt.


Files and File Systems Computers store discrete sets of related information in files. Any document, spreadsheet, picture, video, or even program is a file. It is a very easy thing to change the extension of a file so that it looks like some other type of file. However, that will not change the file structure itself. There are tools that allow viewing of the actual file structure and the file header. This is very important from a forensic perspective. The file header gives you an accurate understanding of the file, regardless of whether the extension has been changed. A few basic facts about files are as follows:


File headers start at the first byte of a file. This is particularly important when you practice file carving.


In graphics file formats, the header might give information about an image’s size, resolution, number of colors, and the like.


The Executable and Linkable Format (ELF, formerly called Extensible Linking Format) is a common standard file format for executables, object code, and shared libraries for UNIX-based systems.


Portable Executable (PE) is used in Windows for executables and dynamic-link libraries (DLLs). PE files are derived from the earlier Common Object File Format (COFF) found on VAX/VMS, a common operating system for mainframe computers.


Area density is the data per area of disk.


Windows Office files have a globally unique identifier (GUID) to identify them.


Files are organized on the computer based on the file system. There are many file systems, but they can be divided into two categories. Journaling is basically the process whereby the file system keeps a record of what file transactions take place so that in the event of a hard drive crash, the files can be recovered. Journaling file systems are fault tolerant because the file system logs all changes to files, directories, or file structures. The log in which changes are recorded is referred to as the file systems journal—thus the term journaling file systems.


There are actually two types of journaling: physical and logical. With physical journaling, the system logs a copy of every block that is about to be written to the storage device, before it is written. The log also includes a checksum of those blocks, to make sure there is no error in writing the block. With logical journaling, only changes to file metadata are stored in the journal.


Here are some specific file systems:


File Allocation Table (FAT): This is an older system, which was popular with Microsoft operating systems for many years. FAT was first implemented in Microsoft Standalone Disk BASIC. FAT stores file locations by sector in a file called the file allocation table. This table contains information about which clusters are being used by which particular files and which clusters are free to be used. The various extensions of FAT, such as FAT16 and FAT32, differ in the number of bits available for filenames.


New Technology File System (NTFS): Microsoft eventually introduced a new file system to replace FAT. This file system is called New Technology File System (NTFS). This is the file system used by Windows NT 4 through Windows 10 as well as Server 2000 through Server 2016. One major improvement of NTFS over FAT was the increased volume sizes NTFS could support. The maximum NTFS volume size is 2 –1 clusters. We will be discussing NTFS in more detail when we discuss Windows forensics, later in this book.


Extended file system: This was the first file system created specifically for Linux. There have been many versions of EXT; the current version is 4. The EXT4 file system can support volumes with sizes up to 1 exabyte (10 bytes, or 1 billion gigabytes) and files with sizes up to 16 terabytes. This is a huge file and volume size, and no current hard drives come even close to that


64


18


volume size. For an administrator, one of the most exciting features of EXT4 is that it is backward compatible with EXT2 and EXT3, making it possible to mount drives that use those earlier versions of EXT.


ReiserFS: This is a popular journaling file system, used primarily with Linux. ReiserFS was the first file system to be included with the standard Linux kernel, and first appeared in kernel version 2.4.1. Unlike some file systems, ReiserFS supported journaling from its inception, whereas EXT did not support journaling until version 3. ReiserFS is open source and was invented by Hans Reiser.


The Berkeley Fast File System: This is also known as the UNIX file system. As its names suggest, it was developed at the University of California specifically for UNIX. Like many file systems, Berkeley uses a bitmap to track free clusters, indicating which clusters are available and which are not. Like EXT, Berkeley includes the FSCK utility. This is only one of many similarities between Berkeley and EXT. In fact, some sources consider EXT to just be a variant of the Berkeley Fast File System.


Networks Digital forensics, like all branches of cybersecurity, breaks information into two types. There is information at rest and information in motion. Information at rest includes anything that is stored inside the computer, including in the file system or


memory. Information in motion is information being transmitted between endpoints and includes the protocols and other information needed for transmission. The transmission of information across networks and the network components used are a vast, quickly changing field. The modern forensic investigator, however, should be very familiar with the components and how they work as well as the protocols and their operation if information in motion is to be considered as a part of the investigator’s skill set. The modern forensic analyst who will consider information in motion must also be very familiar with the concepts and operation of both the seven-layer Open Systems Interconnection (OSI) Reference Model and the five-layer Internet Engineering Task Force (IETF) model. If you lack this knowledge, you must acquire it before proceeding any further.


Addresses The digital forensics analyst must be aware of the way in which computer information is addressed and the proper vocabulary for discussing the different types of addresses and units of information transfer. It is also important for the digital forensics analyst to understand that not all addresses are a part of every communication. If they are present, the addresses are part of a hierarchy and are placed, one within the other, like envelopes.


Physical Ports Physical ports are physical. You can touch them. Even a wireless physical port can be touched,


although you must open the computer or other device to find the antenna first. The physical ports operate at OSI Layer 1, the Physical Layer. The units of information transfer are 1 and 0 bits grouped into fixed-length units called Layer 1 frames.


MAC Addresses A MAC (Media Access Control) address is a 6-byte (or 48-bit) address used to identify a network interface card. The first three bytes identify the vendor; the second three identify the specific card. This can also be referred to as a computer’s physical address.


A MAC address is supposed to be unique, is supposed to be tied to one and only one physical port, and is not supposed to be duplicated or reused for any reason. However, this is not always the case. Duplication of MAC addresses can occur due to bad quality control or can be done intentionally for a variety of malicious reasons. The keen forensic investigator will never be fooled by duplicate MAC addresses.


IP Addresses Internet Protocol (IP) addresses, sometimes called logical addresses, are assigned to a computer and can be easily changed. Although IP version 6 has been available for quite some time, a majority of computers are still using IP version 4, which provides a 32-bit address. We will discuss IP version 4 and version 6 in more detail later in this book when we discuss network forensics.


Logical Port Numbers Communication over a network depends on an IP address and a port number. You can think of the port as a channel. Here is a list of some common ports and their uses:


20 and 21, File Transfer Protocol (FTP): For transferring files between computers. Port 20 is for data; port 21 is for control.


22, SSH (Secure Shell) and Secure FTP: Used as secure alternates to Telnet and FTP, respectively.


23, Telnet: Used to remotely log on to a system. You can then use a command prompt or shell to execute commands on that system. Popular with network administrators.


25, Simple Mail Transfer Protocol (SMTP): Used to send email.


43, WhoIS: A command that queries a target IP address for information.

Homework is Completed By:

Writer Writer Name Amount Client Comments & Rating
Instant Homework Helper

ONLINE

Instant Homework Helper

$36

She helped me in last minute in a very reasonable price. She is a lifesaver, I got A+ grade in my homework, I will surely hire her again for my next assignments, Thumbs Up!

Order & Get This Solution Within 3 Hours in $25/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 3 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

Order & Get This Solution Within 6 Hours in $20/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 6 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

Order & Get This Solution Within 12 Hours in $15/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 12 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

6 writers have sent their proposals to do this homework:

University Coursework Help
Top Essay Tutor
Writer Writer Name Offer Chat
University Coursework Help

ONLINE

University Coursework Help

Hi dear, I am ready to do your homework in a reasonable price.

$47 Chat With Writer
Top Essay Tutor

ONLINE

Top Essay Tutor

I have more than 12 years of experience in managing online classes, exams, and quizzes on different websites like; Connect, McGraw-Hill, and Blackboard. I always provide a guarantee to my clients for their grades.

$50 Chat With Writer

Let our expert academic writers to help you in achieving a+ grades in your homework, assignment, quiz or exam.

Similar Homework Questions

Transport and motoring customer service centre - Champion spark plug guide australia - Stud dog contract uk - Critical evaluation essay example - Hildegard von bingen was a famous german troubadour - Given sin θ 0.8660 hypotenuse 0.25 find θ - $120 Software project + DQ - Classic 1982 movie line spoken with an outstretched finger - Dummy variable approach forecast sales - Accord info matrix reviews glassdoor - The tempest act 3 scene 1 text - Module 6 Discussion-Stats - Bsbcmm401 make a presentation answers - Where do you find aqueous humor in the dissected eye - Merchant of venice act 1 scene 1 2 3 summary - Reflection 8 - Sales personal development plan - Non chronological report vocabulary - Anyconnect diagnostics and reporting tool download - Lena dunham book proposal pdf - 2.19 5 circle pyramid 2.0 - Hm - Determination of specific heat capacity of a metal - St luke's medical centre st albans - Holsworthy high school teachers - Guide to work health and safety incident notification qld - The classic pin up art of jack cole - Tennant street surgery stockton on tees - Discussions weeks 1-9 for Research in Nursing - Assembly of god doctrine - Sample request letter to conduct survey - Therapeutic Relationship Case Study # 2 - Write a review - Exam number 700138 - DEVELOPING IDEAS - Geometry proof practice worksheet with answers - Anthony bearings sliding door rollers - Why are books compared to birds in fahrenheit 451 - The following events occurred for johnson company - The festival of stars and bells reading answers - The three mrs wright's - Learnscapes for health care marketing - Foreign direct investment by cemex - Jimaylya topsy harry centre - Ite higher nitec courses - Discussion(NS) - Biovail corporation case study answers - Principle of serological test - Low noise op amp circuit design - 4/2 - The boy in the striped pajamas lesson plans - Cpu plan manager wesfarmers - How many cubic centimeters of water will the tank hold - Quickbooks new client checklist - Health promotion table - Reli unsecured revolving line of credit - Revise Excel Spreadsheet - FOUNDATIONS OF DEVELOPMENT: THEORIES AND HISTORY MDP 500 - Vector worksheet 2 answers - Wizard pharmacy garden city - Compare and contrast these three protocols - Hr - Disney's design case study answers - Translating caring theory into practice - Cdu safeassign - Health the basics 10th edition pdf - 5 act structure tv - Thinking for yourself 9th edition answers - Patterns and routines in a family _____ - Data structures and algorithms in java 8 pdf - A scholarly source has which of following attributes - Mybiz lab - Assignment 2: New Venture: Launch Plan - TLDQ8-1 - Create your own ecological model - Stock symbol for abercrombie and fitch - Lucille clifton cream of wheat analysis - Harvard travel agency - DUALISM VS PHYSICALISM - List 4 subjects that reggae music often deals with - Why things bite back edward tenner pdf - I have 3 assignments - Describe yourself to someone who has never met you - Problem - Solution Essay - Mla style scavenger hunt owl at purdue university - 90 day bank bill futures - 7309 drexel rd philadelphia pa 19151 - How does akhirah influence a muslim's life - Criminal Justice (Annotated Bibliography: Race, Ethnicity & the Criminal Justice System) - Electron configuration quiz answers - Michigan black bear record book - Caboolture waste transfer station - Hp 820 flash cache - Beta oxidation atp yield - Animal farm candy mountain - Cisco business edition 6000 installation guide - Water by the spoonful pdf download - Instructional sequence lesson plans - Distance of closest approach alpha particle formula - The book thief basement - First ionisation energy of sodium