Contents
Chapter One: The Fundamentals of Data
Base 2 Numbering System: Binary and Character Encoding
Communication in a Two-State Universe
Building Blocks: The Origins of Data
Growing the Building Blocks of Data
American Standard Code for Information Interchange
Character Codes: The Basis for Processing Textual Data
Chapter Two: Binary to Decimal
American Standard Code for Information Interchange
Why is this Important in Forensics?
A Forensic Case Example: An Application of the Math
Decimal to Binary: Recap for Review
Chapter Three: The Power of HEX: Finding Slivers of Data
The Needle within the Haystack
Files, File Structures, and File Formats
Changing a File’s Extension to Evade Detection
Complex Files: Compound, Compressed, and Encrypted Files
Appendix 4A: Common File Extensions
Appendix 4B: File Signature Database
Appendix 4C: Magic Number Definition
Appendix 4D: Compound Document Header
Chapter Five: The Boot Process and the Master Boot Record (MBR)
Primary Functions of the Boot Process
Forensic Imaging and Evidence Collection
BIOS Setup Utility: Step by Step
Chapter Six: Endianness and the Partition Table
Partition Table within the Master Boot Record
Chapter Seven: Volume versus Partition
Cylinder, Head, Sector, and Logical Block Addressing
Chapter Eight: File Systems—FAT 12/16
File Allocation Table (FAT) File System
How is Cluster Size Determined?
Appendix 8A: Partition Table Fields
Appendix 8B: File Allocation Table Values
Appendix 8C: Directory Entry Byte Offset Description
Appendix 8D: FAT 12/16 Byte Offset Values
Appendix 8E: FAT 32 Byte Offset Values
Chapter Nine: File Systems—NTFS and Beyond
Alternative Filing System Concepts
Appendix 9A: Common NTFS System Defined Attributes
Chapter Ten: Cyber Forensics: Investigative Smart Practices
Forensic Investigative Smart Practices
Chapter Eleven: Time and Forensics
Clock Models and Time Bounding: The Foundations of Forensic Time
MS-DOS 32-Bit Timestamp: Date and Time
Chapter Tweleve: Investigation: Incident Closure
Forensic Investigative Smart Practices
Step 5: Investigation (Continued)
Characteristics of a Good Cyber Forensic Report
Step 7: Retention and Curation of Evidence
Step 8: Investigation Wrap-Up and Conclusion
Investigator’s Role as an Expert Witness