Ubc real estate assignment answers

The Right to Privacy 29

The Expert Witness 31

Chapter Review 32

Chapter Exercises 32

References 33

ptg11539634

viii

3 Search Warrants and Subpoenas 35 Distinguishing between Warrants and Subpoenas 36

What Is a Search and When Is It Legal? 37

Basic Elements of Obtaining a Warrant 40

The Plain View Doctrine 43

The Warrantless Search 44

Subpoenas 50

Chapter Review 51

Chapter Exercises 52

References 52

4 Legislated Privacy Concerns 55 General Privacy 56

Financial Legislation 59

Privacy in Health Care and Education 62

Privileged Information 64

Chapter Review 67

Chapter Exercises 68

References 68

5 The Admissibility of Evidence 71 What Makes Evidence Admissible? 71

Keeping Evidence Authentic 76

Defining the Scope of the Search 84

When the Constitution Doesn’t Apply 84

Chapter Review 89

Chapter Exercises 89

References 89

6 First Response and the Digital Investigator 91 Forensics and Computer Science 91

Controlling the Scene of the Crime 96

Handling Evidence 100

Chapter Review 109

Chapter Exercises 109

References 110

Contents

ptg11539634

ix

7 Data Acquisition 111 Order of Volatility 112

Memory and Running Processes 112

Acquiring Media 121

Chapter Review 128

Chapter Exercises 128

References 129

8 Finding Lost Files 131 File Recovery 131

The Deleted File 141

Data Carving 145

Chapter Review 149

Chapter Exercises 150

References 150

9 Document Analysis 151 File Identification 151

Understanding Metadata 157

Mining the Temporary Files 172

Identifying Alternate Hiding Places of Data 176

Chapter Review 183

Chapter Exercises 183

References 183

10 E-mail Forensics 185 E-mail Technology 185

Information Stores 191

The Anatomy of an E-mail 196

An Approach to E-mail Analysis 203

Chapter Review 210

Chapter Exercises 211

References 211

Contents

ptg11539634

x

Contents

11 Web Forensics 213 Internet Addresses 213

Web Browsers 215

Web Servers 233

Proxy Servers 238

Chapter Review 244

Chapter Exercises 244

References 245

12 Searching the Network 247 An Eagle’s Eye View 247

Initial Response 248

Proactive Collection of Evidence 250

Post-Incident Collection of Evidence 262

Router and Switch Forensics 268

Chapter Review 275

Chapter Exercises 275

References 276

13 Excavating a Cloud 277 What Is Cloud Computing? 277

Shaping the Cloud 279

The Implications of Cloud Forensics 284

On Virtualization 291

Constitutional Issues 300

Chapter Review 303

Chapter Exercises 304

References 304

14 Mobile Device Forensics 307 Challenges of Mobile Device Forensics 307

How Cell Phones Work 308

Data Storage on Cell Phones 313

Acquisition and Storage 317

Legal Aspects of Mobile Device Forensics 322

ptg11539634

xi

Contents

Chapter Review 324

Chapter Exercises 325

References 325

15 Fighting Antiforensics 327 Artifact Destruction 328

Hiding Data on the System 336

Covert Data 347

Chapter Review 354

Chapter Exercises 355

References 355

16 Litigation and Electronic Discovery 357 What Is E-Discovery? 358

A Roadmap of E-Discovery 358

Conclusion 377

Chapter Review 377

Chapter Exercises 377

References 378

17 Case Management and Report Writing 379 Managing a Case 379

Writing Reports 389

Chapter Review 393

Chapter Exercises 394

References 394

18 Tools of the Digital Investigator 395 Software Tools 395

Working with “Court-Approved” Tools 410

Hardware Tools 413

Nontechnical Tools 418

Chapter Review 421

Chapter Exercises 422

References 422

ptg11539634

xii

Contents

19 Building a Forensic Workstation 423 What Is a Forensic Workstation? 424

Commercially Available Forensic Workstations 425

Building a Forensic Workstation From Scratch 429

Chapter Review 440

Chapter Exercises 440

References 440

20 Licensing and Certification 441 Digital Forensic Certification 441

Vendor-Neutral Certification Programs 442

Vendor-Specific Certification Programs 449

Digital Forensic Licensing Requirements 452

Chapter Review 454

Chapter Exercises 454

References 454

21 The Business of Digital Forensics 457 Starting a New Forensics Organization 458

Maintaining the Organization 466

Generating Revenue 478

Organizational Certification 481

Chapter Review 483

Chapter Exercises 483

References 483

A Chapter Review Answers 485

B Sample Forms 505

Glossary 511

Index 521

ptg11539634

xiii

Pr e fAc e

In performing an investigation that explores the use of computers or digital data, one is basically embarking on an archaeological expedition. To extract useful artifacts (information, in our case), one must be exceedingly careful in how one approaches the site. The similarities between a digital investigation and an archaeo- logical excavation are much closer than you might imagine. Data, like physical arti- facts, gets dropped into the oddest places. The effects of time and environment are just as damaging, if not more so, to digital artifacts as they are physical mementos.

Wh y Th i S Bo o k ?

Archaeologists are fully aware that, due to the passage of time, there are things they can never recover. The skin that once covered a skeleton long buried in the desert can never be found and analyzed. Likewise, data that was once stored in active memory on a computer can’t be recovered once the computer is switched off. However, in each example, it is possible to uncover evidence that both existed. When you first begin a digital investigation, you are undertaking a modern archaeological dig. Just like the shards of broken pots tell the anthropologist a lot about the culture that once used the vessel, the data you dig out of the computer can tell you volumes about the people who used the system.

This book takes the concepts of archaeology and applies them to computer science. It is a tutorial on how to investigate a computer system to find evidence of a crime or other misbehavior, and to make sure that evidence will stand up in

ptg11539634

xiv

Preface

court. While there are numerous other books that cover the whys and wherefores of digital forensics, this one will go into some detail on how to accomplish the task.

We’ve all watched the TV programs where the good guys figure out everything the bad guys did just from examining a piece of hair. (Is this why the bad guys are always called “hairballs”?) In modern-day investigations, the role of the computer plays as big a part as the star witness in many cases. In fact, the computer often is the star witness. Many cases have been solved or settled on the basis of what trained professionals were able to discover while examining electronic evidence (e-evidence).

However, the courts take a dim view on just anybody digging around in some- body else’s computers. They generally insist that legal process be followed, and that only a trained professional attempt the examination. The extraction and analysis of e-evidence is all part of what we call computer forensics. So what is forensics? The word itself originated from the Latin word forum, which described a place where people could assemble publicly and discuss matters of interest to the community. In that context, the word was derived from the strict rules of presentation applied to such discussions. In the context of this book, the word best means application of sci- ence or technology to the collection of evidence for the purpose of establishing facts. The vast majority of references specify that forensic science is targeted at criminal inves- tigation. However, in the real world, digital investigations are commonly used in civil cases and within organizations to identify members engaged in illicit activities.

A crime scene investigator might have DNA from samples of hair found at the scene analyzed to prove that a specific individual was on the scene at least once. Chemical analysis of soil can identify a geographical origin. The process of com- puter forensics is a series of steps by which professionals can prove the following:

• Data exists. • Data once existed. • Data originated from a specific source. • A particular individual either created or had access to the data in question. • The data is relevant to the case. • The data has not changed in any way from acquisition to analysis.

While it is not always necessary to prove all of the above statements are true, in order to secure a case it is best if as many as possible can be locked down. Even when all of the above are proven, a slick lawyer can always point out the fact that e-evidence is almost always circumstantial and press for reasons why the investigation team has presented insufficient corroborating evidence to demonstrate relevance or authentic- ity. (Both of these terms will be discussed in greater detail in the course of this book.) Even if you can prove beyond a shadow of a doubt that Tammy Sue created the letter

ptg11539634