Introduction xx
Chapter 1: The Scope of Computer Forensics 2
Introduction.. . . . . . . . . . . . . . 2
Popular Myths about Computer Forensics.. . . . . . . 3
Types of Computer Forensics Evidence Recovered.. . . . . . 5
Electronic Mail (Email).. . . . . . . . . . . 5
Images.. . . . . . . . . . . . . . 7
Video. . . . . . . . . . . . . . 8
Websites Visited and Internet Searches.. . . . . . . 9
Cellphone Forensics.. . . . . . . . . . . 10
What Skills Must a Computer Forensics Investigator Possess?.. . . 10
Computer Science Knowledge. . . . . . . . . 10
Legal Expertise.. . . . . . . . . . . . 11
Communication Skills.. . . . . . . . . . . 11
Linguistic Abilities.. . . . . . . . . . . 11
Continuous Learning.. . . . . . . . . . . 11
An Appreciation for Confidentiality. . . . . . . . 12
The Importance of Computer Forensics.. . . . . . . . 12
Job Opportunities.. . . . . . . . . . . 12
A History of Computer Forensics.. . . . . . . . . 14
1980s: The Advent of the Personal Computer.. . . . . . 14
1990s: The Impact of the Internet.. . . . . . . . 15
Training and Education. . . . . . . . . . . . 19
Law Enforcement Training.. . . . . . . . . . 19
Summary.. . . . . . . . . . . . . . 25
Chapter 2: Windows Operating and File Systems 32
Introduction.. . . . . . . . . . . . . . 32
Physical and Logical Storage.. . . . . . . . . . 34
File Storage.. . . . . . . . . . . . . 34
File Conversion and Numbering Formats.. . . . . . . . 37
Conversion of Binary to Decimal.. . . . . . . . 37
Hexadecimal Numbering. . . . . . . . . . 37
Conversion of Hexadecimal to Decimal. . . . . . . 38
Conversion of Hexadecimal to ASCII (American Standard Code) for Information Interchange.. . . . . . . . . 38
Unicode.. . . . . . . . . . . . . 42
Operating Systems.. . . . . . . . . . . . 42
The Boot Process.. . . . . . . . . . . 42
Windows File Systems.. . . . . . . . . . 44
Windows Registry.. . . . . . . . . . . . . 50
Registry Data Types.. . . . . . . . . . . 52
FTK Registry Viewer.. . . . . . . . . . . 52
Microsoft Windows Features.. . . . . . . . . . 53
Windows Vista.. . . . . . . . . . . . 53
Windows 7.. . . . . . . . . . . . . 59
Windows 8.1. . . . . . . . . . . . . 70
Summary.. . . . . . . . . . . . . . 73
Chapter 3: Handling Computer Hardware 80
Introduction.. . . . . . . . . . . . . . 80
Hard Disk Drives.. . . . . . . . . . . . . 81
Small Computer System Interface (SCSI).. . . . . . . 81
Integrated Drive Electronics (IDE). . . . . . . . 82
Serial ATA (SATA).. . . . . . . . . . . 83
Cloning a PATA or SATA Hard Disk.. . . . . . . . . 86
Cloning Devices.. . . . . . . . . . . . 86
Removable Memory.. . . . . . . . . . . . 93
FireWire. . . . . . . . . . . . . . 94
USB Flash Drives.. . . . . . . . . . . . 94
External Hard Drives.. . . . . . . . . . . 95
MultiMedia Cards (MMCs).. . . . . . . . . . 96
Summary.. . . . . . . . . . . . . . 109
References.. . . . . . . . . . . . . . 114
Chapter 4: Acquiring Evidence in a Computer Forensics Lab 116
Introduction.. . . . . . . . . . . . . . 116
Lab Requirements. . . . . . . . . . . . 117
American Society of Crime Laboratory Directors.. . . . . 117
American Society of Crime Laboratory Directors/Lab Accreditation Board (ASCLD/LAB). . . . . . . . 117
ASCLD/LAB Guidelines for Forensic Laboratory Management Practices.. . . . . . . . . . . . . 117
Scientific Working Group on Digital Evidence (SWGDE).. . . 119
Private Sector Computer Forensics Laboratories.. . . . . . 119
Evidence Acquisition Laboratory.. . . . . . . . 120
Email Preparation Laboratory.. . . . . . . . . 120
Inventory Control.. . . . . . . . . . . 120
Web Hosting. . . . . . . . . . . . 121
Computer Forensics Laboratory Requirements.. . . . . . 121
Laboratory Layout.. . . . . . . . . . . 121
Laboratory Management. . . . . . . . . . 141
Laboratory Access. . . . . . . . . . . 141
Extracting Evidence from a Device.. . . . . . . . . 144
Using the dd Utility.. . . . . . . . . . . 144
Using Global Regular Expressions Print (GREP). . . . . 145
Skimmers. . . . . . . . . . . . . . 152
Summary.. . . . . . . . . . . . . . 156
Chapter 5: Online Investigations 162
Introduction.. . . . . . . . . . . . . . 162
Working Undercover. . . . . . . . . . . . 163
Generate an Identity.. . . . . . . . . . . 164
Generate an Email Account.. . . . . . . . . 165
Mask Your Identity. . . . . . . . . . . 167
Website Evidence.. . . . . . . . . . . . 171
Website Archives.. . . . . . . . . . . 171
Website Statistics.. . . . . . . . . . . 172
Background Searches on a Suspect. . . . . . . . . 173
Personal Information: Mailing Address, Email Address, Telephone Number, and Assets. . . . . . . . 174
Personal Interests and Membership of User Groups.. . . . 178
Searching for Stolen Property.. . . . . . . . . 179
Online Crime.. . . . . . . . . . . . . 195
Identity Theft.. . . . . . . . . . . . 195
Credit Cards for Sale. . . . . . . . . . . 195
Electronic Medical Records.. . . . . . . . . 196
Cyberbullying.. . . . . . . . . . . . 196
Social Networking.. . . . . . . . . . . 196
Capturing Online Communications.. . . . . . . . . 197
Using Screen Captures.. . . . . . . . . . 197
Using Video.. . . . . . . . . . . . 199
Viewing Cookies.. . . . . . . . . . . 199
Using Windows Registry.. . . . . . . . . . 200
Summary.. . . . . . . . . . . . . . 202
Chapter 6: Documenting the Investigation 210
Introduction.. . . . . . . . . . . . . . 210
Obtaining Evidence from a Service Provider.. . . . . . . 211
Documenting a Crime Scene.. . . . . . . . . . 211
Seizing Evidence. . . . . . . . . . . . . 213
Crime Scene Examinations. . . . . . . . . 213
Documenting the Evidence.. . . . . . . . . . 214
Completing a Chain of Custody Form.. . . . . . . 215
Completing a Computer Worksheet. . . . . . . . 216
Completing a Hard Disk Drive Worksheet.. . . . . . 217
Completing a Server Worksheet. . . . . . . . 218
Using Tools to Document an Investigation. . . . . . . 220
CaseNotes.. . . . . . . . . . . . . 220
FragView. . . . . . . . . . . . . 220
Helpful Mobile Applications (Apps).. . . . . . . . 221
Network Analyzer. . . . . . . . . . . 221
System Status.. . . . . . . . . . . . 221
The Cop App.. . . . . . . . . . . . 221
Lock and Code. . . . . . . . . . . . 221
Digital Forensics Reference.. . . . . . . . . 221
Federal Rules of Civil Procedure (FRCP).. . . . . . . 222
Federal Rules of Evidence (FREvidence).. . . . . . . 222
Writing Reports.. . . . . . . . . . . . . 222
Time Zones and Daylight Saving Time (DST).. . . . . . 222
Creating a Comprehensive Report. . . . . . . . 224
Using Expert Witnesses at Trial. . . . . . . . . . 227
The Expert Witness.. . . . . . . . . . . 228
The Goals of the Expert Witness.. . . . . . . . 228
Preparing an Expert Witness for Trial.. . . . . . . 228
Summary.. . . . . . . . . . . . . . 231
Chapter 7: Admissibility of Digital Evidence 238
Introduction.. . . . . . . . . . . . . . 238
History and Structure of the United States Legal System. . . . 239
Origins of the U.S. Legal System.. . . . . . . . 240
Overview of the U.S. Court System.. . . . . . . . 241
In the Courtroom.. . . . . . . . . . . 245
Evidence Admissibility.. . . . . . . . . . . 248
Constitutional Law.. . . . . . . . . . . . 248
First Amendment.. . . . . . . . . . . 248
First Amendment and the Internet.. . . . . . . . 249
Fourth Amendment.. . . . . . . . . . . 251
Fifth Amendment.. . . . . . . . . . . 263
Sixth Amendment.. . . . . . . . . . . 264
Congressional Legislation. . . . . . . . . . 265
Rules for Evidence Admissibility. . . . . . . . 271
Criminal Defense.. . . . . . . . . . . 276
When Computer Forensics Goes Wrong.. . . . . . . . 277
Pornography in the Classroom. . . . . . . . . 277
Structure of the Legal System in the European Union (E.U.).. . . . 278
Origins of European Law. . . . . . . . . . 278
Structure of European Union Law.. . . . . . . . 279
Structure of the Legal System in Asia. . . . . . . . 282
China. . . . . . . . . . . . . . 282
India.. . . . . . . . . . . . . . 282
Summary.. . . . . . . . . . . . . . 283
Chapter 8: Network Forensics 292
Introduction.. . . . . . . . . . . . . . 292
The Tools of the Trade.. . . . . . . . . . . 293
Networking Devices.. . . . . . . . . . . . 294
Proxy Servers. . . . . . . . . . . . 295
Web Servers. . . . . . . . . . . . 295
DHCP Servers.. . . . . . . . . . . . 298
SMTP Servers.. . . . . . . . . . . . 299
DNS Servers. . . . . . . . . . . . 301
Routers.. . . . . . . . . . . . . 302
IDS.. . . . . . . . . . . . . . 304
Firewalls.. . . . . . . . . . . . . 304
Ports.. . . . . . . . . . . . . . 305
Understanding the OSI Model.. . . . . . . . . . 305
The Physical Layer. . . . . . . . . . . 306
The Data Link Layer. . . . . . . . . . . 306
The Network Layer. . . . . . . . . . . 306
The Transport Layer.. . . . . . . . . . . 307
The Session Layer.. . . . . . . . . . . 308
The Presentation Layer.. . . . . . . . . . 308
The Application Layer.. . . . . . . . . . 309
Advanced Persistent Threats. . . . . . . . . . 310
Cyber Kill Chain.. . . . . . . . . . . . 310
Indicators of Compromise (IOC). . . . . . . . 312
Investigating a Network Attack.. . . . . . . . . . 313
Summary.. . . . . . . . . . . . . . 314
Chapter 9: Mobile Forensics 320
Introduction.. . . . . . . . . . . . . . 320
The Cellular Network.. . . . . . . . . . . . 322
Base Transceiver Station.. . . . . . . . . . 322
Mobile Station.. . . . . . . . . . . . 326
Cellular Network Types.. . . . . . . . . . 331
SIM Card Forensics.. . . . . . . . . . . 334
Types of Evidence.. . . . . . . . . . . 337
Handset Specifications.. . . . . . . . . . . 338
Memory and Processing.. . . . . . . . . . 338
Battery.. . . . . . . . . . . . . 338
Other Hardware.. . . . . . . . . . . . 338
Mobile Operating Systems. . . . . . . . . . . 339
Android OS. . . . . . . . . . . . . 339
Windows Phone. . . . . . . . . . . . 347
Standard Operating Procedures for Handling Handset Evidence.. . . 347
National Institute of Standards and Technology .. . . . . 348
Preparation and Containment. . . . . . . . . 349
Wireless Capabilities.. . . . . . . . . . . 352
Documenting the Investigation. . . . . . . . . 354
Handset Forensics.. . . . . . . . . . . . 354
Cellphone Forensic Software.. . . . . . . . . 354
Cellphone Forensics Hardware.. . . . . . . . 357
Logical versus Physical Examination.. . . . . . . 358
Manual Cellphone Examinations.. . . . . . . . . 358
Flasher Box.. . . . . . . . . . . . 359
Global Satellite Service Providers.. . . . . . . . . 360
Satellite Communication Services.. . . . . . . . 360
Legal Considerations.. . . . . . . . . . . . 360
Carrier Records.. . . . . . . . . . . . 361
Other Mobile Devices.. . . . . . . . . . . . 361
Tablets.. . . . . . . . . . . . . 361
GPS Devices.. . . . . . . . . . . . 362
Summary.. . . . . . . . . . . . . . 364
Chapter 10: Photograph Forensics 372
Introduction.. . . . . . . . . . . . . . 372
Understanding Digital Photography.. . . . . . . . . 375
File Systems.. . . . . . . . . . . . 375
Digital Photography Applications and Services.. . . . . 376
Examining Picture Files.. . . . . . . . . . . 377
Exchangeable Image File Format (EXIF).. . . . . . . 377
Evidence Admissibility.. . . . . . . . . . . 380
Federal Rules of Evidence (FRE).. . . . . . . . 380
Analog vs. Digital Photographs.. . . . . . . . 381
Case Studies.. . . . . . . . . . . . . 382
Worldwide Manhunt.. . . . . . . . . . . 382
NYPD Facial Recognition Unit.. . . . . . . . . 383
Summary.. . . . . . . . . . . . . . 384
Chapter 11: Mac Forensics 390
Introduction.. . . . . . . . . . . . . . 390
A Brief History.. . . . . . . . . . . . . 391
Macintosh. . . . . . . . . . . . . 391
Mac Mini with OS X Server.. . . . . . . . . 391
iPod. . . . . . . . . . . . . . 393
iPhone. . . . . . . . . . . . . . 394
iPad. . . . . . . . . . . . . . 394
Apple Wi-Fi Devices.. . . . . . . . . . . 395
Macintosh File Systems.. . . . . . . . . . . 397
Forensic Examinations of a Mac.. . . . . . . . . 398
IOReg Info.. . . . . . . . . . . . . 398
PMAP Info.. . . . . . . . . . . . . 399
Epoch Time.. . . . . . . . . . . . 399
Recovering Deleted Files.. . . . . . . . . . 401
Journaling. . . . . . . . . . . . . 401
DMG File System.. . . . . . . . . . . 401
PList Files.. . . . . . . . . . . . . 401
SQLite Databases.. . . . . . . . . . . 404
Macintosh Operating Systems.. . . . . . . . . . 404
Mac OS X.. . . . . . . . . . . . . 405
Target Disk Mode.. . . . . . . . . . . 408
Apple Mobile Devices. . . . . . . . . . . . 409
iOS.. . . . . . . . . . . . . . 410
iOS 7.. . . . . . . . . . . . . . 410
iOS 8.. . . . . . . . . . . . . . 410
Security and Encryption.. . . . . . . . . . 411
iPod. . . . . . . . . . . . . . 412
iPhone. . . . . . . . . . . . . . 413
Enterprise Deployment of iPhone and iOS Devices.. . . . 426
Case Studies.. . . . . . . . . . . . . 426
Find My iPhone.. . . . . . . . . . . . 427
Wanted Hactevist.. . . . . . . . . . . 427
Michael Jackson.. . . . . . . . . . . 427
Stolen iPhone. . . . . . . . . . . . 427
Drug Bust.. . . . . . . . . . . . . 427
Summary.. . . . . . . . . . . . . . 428
Chapter 12: Case Studies 436
Introduction.. . . . . . . . . . . . . . 436
Zacharias Moussaoui.. . . . . . . . . . . . 437
Background.. . . . . . . . . . . . 437
Digital Evidence.. . . . . . . . . . . . 438
Standby Counsel Objections.. . . . . . . . . 439
Prosecution Affidavit.. . . . . . . . . . . 440
Exhibits.. . . . . . . . . . . . . 440
Email Evidence. . . . . . . . . . . . 440
BTK (Bind Torture Kill) Killer. . . . . . . . . . 441
Profile of a Killer. . . . . . . . . . . . 441
Evidence.. . . . . . . . . . . . . 442
Cyberbullying.. . . . . . . . . . . . . 443
Federal Anti-harassment Legislation.. . . . . . . 443
State Anti-harassment Legislation.. . . . . . . . 443
Warning Signs of Cyberbullying.. . . . . . . . 443
What Is Cyberbullying?.. . . . . . . . . . 444
Phoebe Prince.. . . . . . . . . . . . 444
Ryan Halligan.. . . . . . . . . . . . 445
Megan Meier.. . . . . . . . . . . . 445
Tyler Clementi.. . . . . . . . . . . . 445
Sports.. . . . . . . . . . . . . . . 447
Summary.. . . . . . . . . . . . . . 449
TOC, 9780789741158, 11/20/2014
Dr. Darren R. Hayes is a leading expert in the field of digital forensics and computer security. He is the director of cybersecurity and an assistant professor at Pace University, and he has been named one of the Top 10 Computer Forensics Professors by Forensics Colleges.
Hayes has served on the board of the High Technology Crime Investigation Association (HTCIA), Northeast Chapter, and is the former president of that chapter. He also established a student chapter of the HTCIA at Pace University.
During his time at Pace University, Hayes developed a computer forensics track for the school’s bachelor of science in information technology degree. He also created a computer forensics research laboratory, where he devotes most of his time to working with a team of students in computer forensics and, most recently, the burgeoning field of mobile forensics. As part of his research and promotion of this scientific field of study, he has fostered relationships with the NYPD, N.Y. State Police, and other law enforcement agencies. He also organized a successful internship program at the cybercrime division of the New York County D.A. Office and the Westchester County D.A. Office.
Hayes is not only an academic, however—he is also a practitioner. He has been an investigator on both civil and criminal investigations and has been called upon as an expert for a number of law firms. In New York City, Hayes has been working with six to eight public high schools to develop a curriculum in computer forensics. He collaborates on computer forensics projects internationally and has served as an extern examiner for the MSc in Forensic Computing and Cybercrime Investigation degree program at University College Dublin for four years.
Hayes has appeared on Bloomberg Television and Fox 5 News and been quoted by Associated Press, CNN, Compliance Week, E-Commerce Times, The Guardian (UK), Investor’s Business Daily, MarketWatch, Newsweek, Network World, Silicon Valley Business Journal, USA Today, Washington Post, and Wired News. His op-eds have been published by American Banker’s BankThink and The Hill’s Congress Blog. In addition, he has authored a number of peer-reviewed articles in computer forensics, most of which have been published by the Institute of Electrical and Electronics Engineers (IEEE). Hayes has been both an author and reviewer for Pearson Prentice Hall since 2007.
|
Ask a Question About this Product More... |
|
