Preface

THE ROLE AND RESPONSIBILITY of a cyber forensic investigator is to accurately report upon actions taken to expertly identify, extract, and analyze those data that will ultimately represent evidential matter as part of an investigation of an individual who is suspected of engaging in unauthorized activities.

As an expert, a cyber forensic investigator who heavily relies upon the automated, generated results of a forensic software tool, without an intimate knowledge of how the results have been achieved, is risking not only his or her professional reputation but also the potential of a successful outcome to an investigation.

Data, the primordial building blocks of information as we know it, begins life as nothing more than electrical impulses representing an existence or lack thereof, of an electrical charge. Knowing just how these pulses end up as data, and how these data then end up as potential evidence, is an essential skill for a cyber forensic investigator.

The evolution of bits and bytes into data and finally into human-understandable text is not rocket science; somewhat technical yes, but not beyond the reach or understanding of the professional looking to gain a greater understanding of HOW data become digital forensic evidence, WHERE to look for this evidence, buried beneath hundreds of millions of bytes of data, and WHY specific data may lead the investigator to the proverbial “smoking gun.”

In communicating the results of a cyber forensic investigation, responding to the question “How did you identify the specific data you examined to reach your conclusion?” by eluding to your use of a specific cyber forensic tool without a thorough understanding of how that tool “achieved” its answer, could be professionally dangerous.

Reliance on the software to produce an answer, without a solid understanding of the HOWs, WHATs, WHYs, and the theory and logic behind how the answer was attained is akin to submitting all of the correct answers to a mathematics exam and failing, because you did not show your work. Knowing the answer without knowing how you achieved the answer or how to explain how the answer was achieved is having only half of a solution.

The book you are about to read will provide you with the specific knowledge to speak confidently about the validity of the data identified, accessed, and analyzed as part of a comprehensive cyber forensic investigation.

We start small, in fact very small . . . bits and bytes small, explaining the origins of data and progressing onward, addressing concepts related to data storage, boot records, partitions, volumes, and file systems, and how each of these are interrelated and essential in a cyber forensic investigation. The role each plays in an investigation and what type of evidential data may be identified within each of these areas.

Also addressed are two often overlooked topics which impact almost every cyber-based investigation: endianness and time. Each of these topics rightly deserve their own chapter and are discussed in-depth with respect to their impact and influence on data and ultimately on the identification of digital evidence.

In an effort to more effectively introduce specific information technology (IT) and cyber forensic concepts and discuss critical cyber forensic processes, we proudly introduce Ronelle Sawyer and Jose McCarthy, employees who become involved in the theft of intellectual property.

Ronelle and Jose’s activities and actions are discussed throughout the book as an ongoing case, designed to provide the reader with specific examples of the application of the cyber forensic concepts discussed throughout the 12 primary chapters of this book. Although the case and characters are fictitious, the scenario presented is not.

Along with this case, we have developed and present an exemplar forensic investigation report (Forensic Investigations, ABC Inc.), which appears as an Appendix to this book. This exemplar report provides the reader with a basic forensic report template, which summarizes the forensic investigation and case data as it would be compiled for submission to a respective authorized recipient. We realize that there are many varied ways in which the results of an investigation may be compiled and presented; the report included herein is an example of one such way.

While each investigation is unique, there will be similarities and as each case is unique on to itself, a generalized investigation approach can be constructed. We have provided you, the reader, with generalized Investigative Smart Practices (ISPs) as you hone and develop your individualistic investigative processes. These are not “best practices,” but “smart practices” steps, procedures, and actions, which in general, can be applied to most cyber forensic case/investigations.

It would be illogical to try to present an investigative procedure or methodology and claim that it is universal, that it can be applied in all instances under all circumstances. As such, our ISPs cast the widest net and are applicable to most general investigative cases. It is up to you the reader to add to this base, adding specific, specialized company, department, or agency steps and procedures, which will result in a uniquely identifiable case-by-case investigative process.

Regardless of your confidence in the data identified via your investigative efforts or through the use of any specific or generalized cyber forensic software, take to heart the Russian proverb, “doveryai, no proveryai,” made famous by the late Ronald Reagan: “trust but verify!”

This book will provide you with a comprehensive examination and discussion of the science of cyber forensic investigations, what is happening behind the scenes to data and why, what to look for and where to find it . . . progressing logically, from data to digital evidence.

Al Marcella and Fred Guillossou