Contents

Preface

Acknowledgments

Chapter One: The Fundamentals of Data

Base 2 Numbering System: Binary and Character Encoding

Communication in a Two-State Universe

Electricity and Magnetism

Building Blocks: The Origins of Data

Growing the Building Blocks of Data

Moving Beyond Base 2

American Standard Code for Information Interchange

Character Codes: The Basis for Processing Textual Data

Extended ASCII and Unicode

Summary

Notes

Chapter Two: Binary to Decimal

American Standard Code for Information Interchange

Computer as a Calculator

Why is this Important in Forensics?

Data Representation

Converting Binary to Decimal

Conversion Analysis

A Forensic Case Example: An Application of the Math

Decimal to Binary: Recap for Review

Summary

Chapter Three: The Power of HEX: Finding Slivers of Data

What the HEX?

Bits and Bytes and Nibbles

Nibbles and Bits

Binary to HEX Conversion

Binary (HEX) Editor

The Needle within the Haystack

Summary

Notes

Chapter Four: Files

Opening

Files, File Structures, and File Formats

File Extensions

Changing a File’s Extension to Evade Detection

Files and the HEX Editor

File Signature

ASCII is not Text or HEX

Value of File Signatures

Complex Files: Compound, Compressed, and Encrypted Files

Why do Compound Files Exist?

Compressed Files

Forensics and Encrypted Files

The Structure of Ciphers

Summary

Notes

Appendix 4A: Common File Extensions

Appendix 4B: File Signature Database

Appendix 4C: Magic Number Definition

Appendix 4D: Compound Document Header

Chapter Five: The Boot Process and the Master Boot Record (MBR)

Booting Up

Primary Functions of the Boot Process

Forensic Imaging and Evidence Collection

Summarizing the BIOS

BIOS Setup Utility: Step by Step

The Master Boot Record (MBR)

Partition Table

Hard Disk Partition

Summary

Notes

Chapter Six: Endianness and the Partition Table

The Flavor of Endianness

Endianness

The Origins of Endian

Partition Table within the Master Boot Record

Summary

Notes

Chapter Seven: Volume versus Partition

Tech Review

Cylinder, Head, Sector, and Logical Block Addressing

Volumes and Partitions

Summary

Notes

Chapter Eight: File Systems—FAT 12/16

Tech Review

File Systems

Metadata

File Allocation Table (FAT) File System

Slack

HEX Review Note

Directory Entries

File Allocation Table (FAT)

How is Cluster Size Determined?

Expanded Cluster Size

Directory Entries and the FAT

FAT Filing System Limitations

Directory Entry Limitations

Summary

Appendix 8A: Partition Table Fields

Appendix 8B: File Allocation Table Values

Appendix 8C: Directory Entry Byte Offset Description

Appendix 8D: FAT 12/16 Byte Offset Values

Appendix 8E: FAT 32 Byte Offset Values

Appendix 8F: The Power of 2

Chapter Nine: File Systems—NTFS and Beyond

New Technology File System

Partition Boot Record

Master File Table

NTFS Summary

exFAT

Alternative Filing System Concepts

Summary

Notes

Appendix 9A: Common NTFS System Defined Attributes

Chapter Ten: Cyber Forensics: Investigative Smart Practices

The Forensic Process

Forensic Investigative Smart Practices

Time

Summary

Note

Chapter Eleven: Time and Forensics

What is Time?

Network Time Protocol

Timestamp Data

Keeping Track of Time

Clock Models and Time Bounding: The Foundations of Forensic Time

MS-DOS 32-Bit Timestamp: Date and Time

Date Determination

Time Determination

Time Inaccuracy

Summary

Notes

Chapter Tweleve: Investigation: Incident Closure

Forensic Investigative Smart Practices

Step 5: Investigation (Continued)

Step 6: Communicate Findings

Characteristics of a Good Cyber Forensic Report

Report Contents

Step 7: Retention and Curation of Evidence

Step 8: Investigation Wrap-Up and Conclusion

Investigator’s Role as an Expert Witness

Summary

Notes

Chapter Thirteen: A Cyber Forensic Process Summary

Binary

Binary—Decimal—ASCII

Data Versus Code

HEX

From Raw Data to Files

Accessing Files

Endianness

Partitions

File Systems

Time

The Investigation Process

Summary

Appendix

Glossary

About the Authors

Index