Practical Guide to Computer Forensics Investigations, A

About

Features

• Practical information from the author's personal experience working with law enforcement
• Delves into the not-widely-understood areas of Mac forensics and mobile forensics
• Includes hands-on activities, uncommon for most computer forensics books



Sample Content

Online Sample Chapter

Handling Computer Hardware in a Computer Forensics Investigation

Sample Pages

Download the sample pages (includes Chapter 9 and Index)

Table of Contents

Introduction xx

Chapter 1: The Scope of Computer Forensics 2

    Introduction.. . . . . . . . . . . . . . 2

        Popular Myths about Computer Forensics.. . . . . . . 3

    Types of Computer Forensics Evidence Recovered.. . . . . . 5

        Electronic Mail (Email).. . . . . . . . . . . 5

        Images.. . . . . . . . . . . . . . 7

        Video. . . . . . . . . . . . . . 8

        Websites Visited and Internet Searches.. . . . . . . 9

        Cellphone Forensics.. . . . . . . . . . . 10

    What Skills Must a Computer Forensics Investigator Possess?.. . . 10

        Computer Science Knowledge. . . . . . . . . 10

        Legal Expertise.. . . . . . . . . . . . 11

        Communication Skills.. . . . . . . . . . . 11

        Linguistic Abilities.. . . . . . . . . . . 11

        Continuous Learning.. . . . . . . . . . . 11

        An Appreciation for Confidentiality. . . . . . . . 12

    The Importance of Computer Forensics.. . . . . . . . 12

        Job Opportunities.. . . . . . . . . . . 12

    A History of Computer Forensics.. . . . . . . . . 14

        1980s: The Advent of the Personal Computer.. . . . . . 14

        1990s: The Impact of the Internet.. . . . . . . . 15

    Training and Education. . . . . . . . . . . . 19

        Law Enforcement Training.. . . . . . . . . . 19

    Summary.. . . . . . . . . . . . . . 25

Chapter 2: Windows Operating and File Systems 32

    Introduction.. . . . . . . . . . . . . . 32

    Physical and Logical Storage.. . . . . . . . . . 34

        File Storage.. . . . . . . . . . . . . 34

    File Conversion and Numbering Formats.. . . . . . . . 37

        Conversion of Binary to Decimal.. . . . . . . . 37

        Hexadecimal Numbering. . . . . . . . . . 37

        Conversion of Hexadecimal to Decimal. . . . . . . 38

        Conversion of Hexadecimal to ASCII (American Standard Code) for Information Interchange.. . . . . . . . . 38

        Unicode.. . . . . . . . . . . . . 42

    Operating Systems.. . . . . . . . . . . . 42

        The Boot Process.. . . . . . . . . . . 42

        Windows File Systems.. . . . . . . . . . 44

    Windows Registry.. . . . . . . . . . . . . 50

        Registry Data Types.. . . . . . . . . . . 52

        FTK Registry Viewer.. . . . . . . . . . . 52

    Microsoft Windows Features.. . . . . . . . . . 53

        Windows Vista.. . . . . . . . . . . . 53

        Windows 7.. . . . . . . . . . . . . 59

        Windows 8.1. . . . . . . . . . . . . 70

    Summary.. . . . . . . . . . . . . . 73

Chapter 3: Handling Computer Hardware 80

    Introduction.. . . . . . . . . . . . . . 80

    Hard Disk Drives.. . . . . . . . . . . . . 81

        Small Computer System Interface (SCSI).. . . . . . . 81

        Integrated Drive Electronics (IDE). . . . . . . . 82

        Serial ATA (SATA).. . . . . . . . . . . 83

    Cloning a PATA or SATA Hard Disk.. . . . . . . . . 86

        Cloning Devices.. . . . . . . . . . . . 86

    Removable Memory.. . . . . . . . . . . . 93

        FireWire. . . . . . . . . . . . . . 94

        USB Flash Drives.. . . . . . . . . . . . 94

        External Hard Drives.. . . . . . . . . . . 95

        MultiMedia Cards (MMCs).. . . . . . . . . . 96

    Summary.. . . . . . . . . . . . . . 109

    References.. . . . . . . . . . . . . . 114

Chapter 4: Acquiring Evidence in a Computer Forensics Lab 116

    Introduction.. . . . . . . . . . . . . . 116

    Lab Requirements. . . . . . . . . . . . 117

        American Society of Crime Laboratory Directors.. . . . . 117

        American Society of Crime Laboratory Directors/Lab Accreditation Board (ASCLD/LAB). . . . . . . . 117

        ASCLD/LAB Guidelines for Forensic Laboratory Management Practices.. . . . . . . . . . . . . 117

        Scientific Working Group on Digital Evidence (SWGDE).. . . 119

    Private Sector Computer Forensics Laboratories.. . . . . . 119

        Evidence Acquisition Laboratory.. . . . . . . . 120

        Email Preparation Laboratory.. . . . . . . . . 120

        Inventory Control.. . . . . . . . . . . 120

        Web Hosting. . . . . . . . . . . . 121

    Computer Forensics Laboratory Requirements.. . . . . . 121

        Laboratory Layout.. . . . . . . . . . . 121

        Laboratory Management. . . . . . . . . . 141

        Laboratory Access. . . . . . . . . . . 141

    Extracting Evidence from a Device.. . . . . . . . . 144

        Using the dd Utility.. . . . . . . . . . . 144

        Using Global Regular Expressions Print (GREP). . . . . 145

    Skimmers. . . . . . . . . . . . . . 152

    Summary.. . . . . . . . . . . . . . 156

Chapter 5: Online Investigations 162

    Introduction.. . . . . . . . . . . . . . 162

    Working Undercover. . . . . . . . . . . . 163

        Generate an Identity.. . . . . . . . . . . 164

        Generate an Email Account.. . . . . . . . . 165

        Mask Your Identity. . . . . . . . . . . 167

    Website Evidence.. . . . . . . . . . . . 171

        Website Archives.. . . . . . . . . . . 171

        Website Statistics.. . . . . . . . . . . 172

    Background Searches on a Suspect. . . . . . . . . 173

        Personal Information: Mailing Address, Email Address, Telephone Number, and Assets. . . . . . . . 174

        Personal Interests and Membership of User Groups.. . . . 178

        Searching for Stolen Property.. . . . . . . . . 179

    Online Crime.. . . . . . . . . . . . . 195

        Identity Theft.. . . . . . . . . . . . 195

        Credit Cards for Sale. . . . . . . . . . . 195

        Electronic Medical Records.. . . . . . . . . 196

        Cyberbullying.. . . . . . . . . . . . 196

        Social Networking.. . . . . . . . . . . 196

    Capturing Online Communications.. . . . . . . . . 197

        Using Screen Captures.. . . . . . . . . . 197

        Using Video.. . . . . . . . . . . . 199

        Viewing Cookies.. . . . . . . . . . . 199

        Using Windows Registry.. . . . . . . . . . 200

    Summary.. . . . . . . . . . . . . . 202

Chapter 6: Documenting the Investigation 210

    Introduction.. . . . . . . . . . . . . . 210

    Obtaining Evidence from a Service Provider.. . . . . . . 211

    Documenting a Crime Scene.. . . . . . . . . . 211

    Seizing Evidence. . . . . . . . . . . . . 213

        Crime Scene Examinations. . . . . . . . . 213

    Documenting the Evidence.. . . . . . . . . . 214

        Completing a Chain of Custody Form.. . . . . . . 215

        Completing a Computer Worksheet. . . . . . . . 216

        Completing a Hard Disk Drive Worksheet.. . . . . . 217

        Completing a Server Worksheet. . . . . . . . 218

    Using Tools to Document an Investigation. . . . . . . 220

        CaseNotes.. . . . . . . . . . . . . 220

        FragView. . . . . . . . . . . . . 220

        Helpful Mobile Applications (Apps).. . . . . . . . 221

        Network Analyzer. . . . . . . . . . . 221

        System Status.. . . . . . . . . . . . 221

        The Cop App.. . . . . . . . . . . . 221

        Lock and Code. . . . . . . . . . . . 221

        Digital Forensics Reference.. . . . . . . . . 221

        Federal Rules of Civil Procedure (FRCP).. . . . . . . 222

        Federal Rules of Evidence (FREvidence).. . . . . . . 222

    Writing Reports.. . . . . . . . . . . . . 222

        Time Zones and Daylight Saving Time (DST).. . . . . . 222

        Creating a Comprehensive Report. . . . . . . . 224

    Using Expert Witnesses at Trial. . . . . . . . . . 227

        The Expert Witness.. . . . . . . . . . . 228

        The Goals of the Expert Witness.. . . . . . . . 228

        Preparing an Expert Witness for Trial.. . . . . . . 228

    Summary.. . . . . . . . . . . . . . 231

Chapter 7: Admissibility of Digital Evidence 238

    Introduction.. . . . . . . . . . . . . . 238

    History and Structure of the United States Legal System. . . . 239

        Origins of the U.S. Legal System.. . . . . . . . 240

        Overview of the U.S. Court System.. . . . . . . . 241

        In the Courtroom.. . . . . . . . . . . 245

    Evidence Admissibility.. . . . . . . . . . . 248

    Constitutional Law.. . . . . . . . . . . . 248

        First Amendment.. . . . . . . . . . . 248

        First Amendment and the Internet.. . . . . . . . 249

        Fourth Amendment.. . . . . . . . . . . 251

        Fifth Amendment.. . . . . . . . . . . 263

        Sixth Amendment.. . . . . . . . . . . 264

        Congressional Legislation. . . . . . . . . . 265

        Rules for Evidence Admissibility. . . . . . . . 271

        Criminal Defense.. . . . . . . . . . . 276

    When Computer Forensics Goes Wrong.. . . . . . . . 277

        Pornography in the Classroom. . . . . . . . . 277

    Structure of the Legal System in the European Union (E.U.).. . . . 278

        Origins of European Law. . . . . . . . . . 278

        Structure of European Union Law.. . . . . . . . 279

    Structure of the Legal System in Asia. . . . . . . . 282

        China. . . . . . . . . . . . . . 282

        India.. . . . . . . . . . . . . . 282

    Summary.. . . . . . . . . . . . . . 283

Chapter 8: Network Forensics 292

    Introduction.. . . . . . . . . . . . . . 292

    The Tools of the Trade.. . . . . . . . . . . 293

    Networking Devices.. . . . . . . . . . . . 294

        Proxy Servers. . . . . . . . . . . . 295

        Web Servers. . . . . . . . . . . . 295

        DHCP Servers.. . . . . . . . . . . . 298

        SMTP Servers.. . . . . . . . . . . . 299

        DNS Servers. . . . . . . . . . . . 301

        Routers.. . . . . . . . . . . . . 302

        IDS.. . . . . . . . . . . . . . 304

        Firewalls.. . . . . . . . . . . . . 304

        Ports.. . . . . . . . . . . . . . 305

    Understanding the OSI Model.. . . . . . . . . . 305

        The Physical Layer. . . . . . . . . . . 306

        The Data Link Layer. . . . . . . . . . . 306

        The Network Layer. . . . . . . . . . . 306

        The Transport Layer.. . . . . . . . . . . 307

        The Session Layer.. . . . . . . . . . . 308

        The Presentation Layer.. . . . . . . . . . 308

        The Application Layer.. . . . . . . . . . 309

    Advanced Persistent Threats. . . . . . . . . . 310

        Cyber Kill Chain.. . . . . . . . . . . . 310

        Indicators of Compromise (IOC). . . . . . . . 312

    Investigating a Network Attack.. . . . . . . . . . 313

    Summary.. . . . . . . . . . . . . . 314

Chapter 9: Mobile Forensics 320

    Introduction.. . . . . . . . . . . . . . 320

    The Cellular Network.. . . . . . . . . . . . 322

        Base Transceiver Station.. . . . . . . . . . 322

        Mobile Station.. . . . . . . . . . . . 326

        Cellular Network Types.. . . . . . . . . . 331

        SIM Card Forensics.. . . . . . . . . . . 334

        Types of Evidence.. . . . . . . . . . . 337

    Handset Specifications.. . . . . . . . . . . 338

        Memory and Processing.. . . . . . . . . . 338

        Battery.. . . . . . . . . . . . . 338

        Other Hardware.. . . . . . . . . . . . 338

    Mobile Operating Systems. . . . . . . . . . . 339

        Android OS. . . . . . . . . . . . . 339

        Windows Phone. . . . . . . . . . . . 347

    Standard Operating Procedures for Handling Handset Evidence.. . . 347

        National Institute of Standards and Technology .. . . . . 348

        Preparation and Containment. . . . . . . . . 349

        Wireless Capabilities.. . . . . . . . . . . 352

        Documenting the Investigation. . . . . . . . . 354

    Handset Forensics.. . . . . . . . . . . . 354

        Cellphone Forensic Software.. . . . . . . . . 354

        Cellphone Forensics Hardware.. . . . . . . . 357

        Logical versus Physical Examination.. . . . . . . 358

    Manual Cellphone Examinations.. . . . . . . . . 358

        Flasher Box.. . . . . . . . . . . . 359

    Global Satellite Service Providers.. . . . . . . . . 360

        Satellite Communication Services.. . . . . . . . 360

    Legal Considerations.. . . . . . . . . . . . 360

        Carrier Records.. . . . . . . . . . . . 361

    Other Mobile Devices.. . . . . . . . . . . . 361

        Tablets.. . . . . . . . . . . . . 361

        GPS Devices.. . . . . . . . . . . . 362

    Summary.. . . . . . . . . . . . . . 364

Chapter 10: Photograph Forensics 372

    Introduction.. . . . . . . . . . . . . . 372

    Understanding Digital Photography.. . . . . . . . . 375

        File Systems.. . . . . . . . . . . . 375

        Digital Photography Applications and Services.. . . . . 376

    Examining Picture Files.. . . . . . . . . . . 377

        Exchangeable Image File Format (EXIF).. . . . . . . 377

    Evidence Admissibility.. . . . . . . . . . . 380

        Federal Rules of Evidence (FRE).. . . . . . . . 380

        Analog vs. Digital Photographs.. . . . . . . . 381

    Case Studies.. . . . . . . . . . . . . 382

        Worldwide Manhunt.. . . . . . . . . . . 382

        NYPD Facial Recognition Unit.. . . . . . . . . 383

    Summary.. . . . . . . . . . . . . . 384

Chapter 11: Mac Forensics 390

    Introduction.. . . . . . . . . . . . . . 390

    A Brief History.. . . . . . . . . . . . . 391

        Macintosh. . . . . . . . . . . . . 391

        Mac Mini with OS X Server.. . . . . . . . . 391

        iPod. . . . . . . . . . . . . . 393

        iPhone. . . . . . . . . . . . . . 394

        iPad. . . . . . . . . . . . . . 394

        Apple Wi-Fi Devices.. . . . . . . . . . . 395

    Macintosh File Systems.. . . . . . . . . . . 397

    Forensic Examinations of a Mac.. . . . . . . . . 398

        IOReg Info.. . . . . . . . . . . . . 398

        PMAP Info.. . . . . . . . . . . . . 399

        Epoch Time.. . . . . . . . . . . . 399

        Recovering Deleted Files.. . . . . . . . . . 401

        Journaling. . . . . . . . . . . . . 401

        DMG File System.. . . . . . . . . . . 401

        PList Files.. . . . . . . . . . . . . 401

        SQLite Databases.. . . . . . . . . . . 404

    Macintosh Operating Systems.. . . . . . . . . . 404

        Mac OS X.. . . . . . . . . . . . . 405

        Target Disk Mode.. . . . . . . . . . . 408

    Apple Mobile Devices. . . . . . . . . . . . 409

        iOS.. . . . . . . . . . . . . . 410

        iOS 7.. . . . . . . . . . . . . . 410

        iOS 8.. . . . . . . . . . . . . . 410

        Security and Encryption.. . . . . . . . . . 411

        iPod. . . . . . . . . . . . . . 412

        iPhone. . . . . . . . . . . . . . 413

        Enterprise Deployment of iPhone and iOS Devices.. . . . 426

    Case Studies.. . . . . . . . . . . . . 426

        Find My iPhone.. . . . . . . . . . . . 427

        Wanted Hactevist.. . . . . . . . . . . 427

        Michael Jackson.. . . . . . . . . . . 427

        Stolen iPhone. . . . . . . . . . . . 427

        Drug Bust.. . . . . . . . . . . . . 427

    Summary.. . . . . . . . . . . . . . 428

Chapter 12: Case Studies 436

    Introduction.. . . . . . . . . . . . . . 436

    Zacharias Moussaoui.. . . . . . . . . . . . 437

        Background.. . . . . . . . . . . . 437

        Digital Evidence.. . . . . . . . . . . . 438

        Standby Counsel Objections.. . . . . . . . . 439

        Prosecution Affidavit.. . . . . . . . . . . 440

        Exhibits.. . . . . . . . . . . . . 440

        Email Evidence. . . . . . . . . . . . 440

    BTK (Bind Torture Kill) Killer. . . . . . . . . . 441

        Profile of a Killer. . . . . . . . . . . . 441

        Evidence.. . . . . . . . . . . . . 442

    Cyberbullying.. . . . . . . . . . . . . 443

        Federal Anti-harassment Legislation.. . . . . . . 443

        State Anti-harassment Legislation.. . . . . . . . 443

        Warning Signs of Cyberbullying.. . . . . . . . 443

        What Is Cyberbullying?.. . . . . . . . . . 444

        Phoebe Prince.. . . . . . . . . . . . 444

        Ryan Halligan.. . . . . . . . . . . . 445

        Megan Meier.. . . . . . . . . . . . 445

        Tyler Clementi.. . . . . . . . . . . . 445

    Sports.. . . . . . . . . . . . . . . 447

    Summary.. . . . . . . . . . . . . . 449

TOC, 9780789741158, 11/20/2014



Updates

Errata

Download the errata

Submit Errata



More Information

