A. Chapter Review Answers

This section contains answers for the review questions at the end of each chapter. Notice that it does not include those for Chapter Exercises. The Chapter Exercises were designed in such a manner that each person performing the exercise is likely to get different results than another person doing the same exercise. Expecting anything other than that would be akin to expecting every forensic investigation to uncover exactly the same data. Your instructor can assist you in determining how well you did in the exercises.

2. Looking for various text strings on the disk can help locate the folders and files that host those strings. Utilities such as GREP and strings allow you to find strings such as “Priscilla” or “Georgia.” Also, a search for industry-specific terms or common phases used in pornographic literature can help.

3. When a file is deleted, the data is not immediately erased from the surface of the drive. Until that disk space is reused, the data can be recovered.

4. Slack space is unused data bits in a cluster. Unallocated space is any drive space not specifically assigned to a file. Either space can potentially hold residual data from files that were once store in those locations.

5. Data carving is the practice of extracting files from unallocated space. It works by finding a common file header and copying all data between the header and the end-of-file marking used by the type of file identified in the header.

2. Constitutional protections only apply to government activities or those authorized by the government. A private citizen does not violate a person’s constitutional rights even if the search performed is illegal. There may be civil issues involved, but not constitutional issues.

3. When the owner of the nightclub contracts with another entity to perform services, the owner assumes responsibility for the entity’s behavior while in the owner’s employ. The courts consider that the nightclub owner is obligated to know what goes on within the confines of the business. The building owner, on the other hand, is merely leasing residency rights to the nightclub owner. The lessor is not expected to monitor the behavior of the lessee.

4. Hearsay is the act of relaying something that you heard, and not something that you saw. There is no way of confirming the veracity of a rumor. So if you testify that Johnnie told you he saw Jimmy rob the liquor store, you are relying on hearsay evidence. If you testify that you saw Jimmy rob the liquor store, you are giving eyewitness testimony. An expert witness, on the other hand, is being asked to give an expert opinion based on what he or she is able to observe about the events that occurred. An expert witness is not expected to have been present at the scene, but is expected to be able to provide an analysis of evidence collected at the scene.

5. Trick question. The Constitution does not guarantee a right to privacy. That is why there has been so much legislation passed that protects an individual’s privacy in a variety of circumstances.

2. A subpoena can be quashed if the recipient can demonstrate that the terms of the subpoena are unreasonable and impose undue hardship in order to comply.

3. A closed container receives special treatment in the eyes of the law. If a container is closed, the courts make the assumption that the owner has a reasonable expectation of privacy. A computer system is considered to be like a sealed box containing file folders. You have to “open” the box (by starting it up, logging in, and searching the folders) to get to the enclosed information. A computer or any other sealed box can be confiscated incident to arrest. But in order to search the files, a warrant must be obtained.

4. Particularity comes in the form of “particularity of place” and “particularity of items to be seized.” Both must be met to fulfill the terms of a warrant. The warrant must state exactly where the search will occur and what evidence is being sought. Therefore, a warrant ordering the search and seizure of all computer devices at 1 Main Street owned by Billy Bob Smith would be considered valid. If the executor of the warrant seizes a computer from Billy Bob’s car, that is an unconstitutional seizure, because the car was not specified in the warrant.

5. A sneak and peek warrant allows the executor to perform the actions specified by the warrant and then notify the suspect after the fact.

2. Financial data, medical information, and educational information all are maintained by organizations and/or agencies that were not necessarily covered under the Privacy and Electronic Communications Act. By passing separate legislation, the laws became more granular in regards to the type of information they protected and the rights that individuals had to safeguard their information.

3. There are a couple of significant differences between civil litigation and criminal prosecution. The most significant difference lies in whether or not the individuals involved enjoy constitutional protection. Two nongovernment entities duking it out over a patent infringement case will only be protected by acts of legislation and not constitutional enforcement. The second difference is that civil litigation is covered under the Federal Rules of Civil Procedure, while a criminal investigation is covered under the Federal Rules of Evidence. There are different rules regarding what information is allowable, how information can be obtained, and whether or not certain information is protected by law.

4. HIPPA covers the health and insurance industries. FERPA covers educational institutions. Each piece of legislation defines how information can be shared by the entities covered and what the rules for obtaining that information are.

5. Attorney/client privileges protect communications between a person and his lawyer. Such communications cannot be entered as evidence in court. The same applies to doctor/patient privileges. Work/product dictates that certain documents that are prepared in anticipation of legal action can be protected from a discovery motion. Lastly, intellectual property may be protected if ordered so by the court. Additionally, pretrial negotiations may limit exposure to intellectual property.

2. The exclusionary rule relates to the previous question. If evidence cannot meet all three elements of admissibility, it must be excluded from proceedings. If the evidence presented to the court is determined to be inadmissible, and it is excluded, the judge may issue an adverse ruling against the party that presented the evidence.

3. Under the plain view doctrine, if during the course of a legal search, evidence that is not defined in the original warrant is found in a place clearly visible to the naked eye and is easily identifiable as evidence, then it can be legally collected and used. When searching for files on a computer, it is very common to find files that suggest that another crime other than the one under investigation has been committed. If these files are found during a legal search, they can be included as evidence. To start a completely different search without a warrant, based on finding the first file, would not be legal, and the subsequent files found are likely to be excluded.

4. As discussed in the previous chapter, a warrant must define precisely what is being sought and where the investigators are allowed to search. If the particularity requirements are not fulfilled, then the exclusionary rule kicks in and the evidence is suppressed.

5. Any search performed by a private citizen is not covered by the Constitution. This includes actions by vigilante groups. The search may be illegal in other regards, but it is not unconstitutional.

2. Class characteristics of a house would include such information as what type of architecture it represents (Victorian, Tudor, Colonial, etc.) or whether it is a duplex or a single-family home. Individual characteristics would include what color it is, how much land it sits on, whether it is a tiled or shingled roof, what kind of porch it has, and so forth.

3. A digital document has metadata that may include information such as who the original author is, who edited it, creation and modification dates, and so forth. It also has associated system information tied to it, such as file system metadata, registry details, and so forth. The physical document can be examined for fingerprints, it can possibly retain DNA from people who handled the document, or it can be studied to see if there are any unique characteristics that link it to a specific printer.

4. A lot can happen during the transportation of evidence. It can get lost or stolen. The package may pass through a heavy magnetic field, corrupting its contents. Or a cell phone not properly protected might have its contents altered remotely by someone dialing in. The chain of custody should define how the item was transported. If there is no accountability for the item during transport, the chain of custody can be challenged.

5. The Faraday box blocks electromagnetic radiation. Blocking incoming signals prevents a communications device from making a connection with a device seized as evidence. Nobody can call in and activate a logic bomb that wipes the contents before you have a chance to examine it.

2. Items that can always be found in RAM include running processes, open ports, and routing tables. It shows what user is logged in at the time of capture. Potentially there could be passwords stored in plain text in RAM if used recently.

3. Some memory capture tools capture memory cache addresses from devices such as hard disks and controller cards in addition to live RAM. This is stored as part of the memory file.

4. The footprint is a term for how much space a running process takes in memory. If an executable file requires 104KB to run, then it has a 104KB footprint. Running the utilities required to capture RAM requires that the executable be run on the host, so its footprint exists in host memory and not the investigator’s machine. In order to make room for the executable, the target OS may move information of evidentiary value from live memory to the swap file.

5. Write-protection devices prevent the process of capturing the forensic image from making any changes to the device being captured. Conventional OS processes, such as Copy or Move, will make changes to the file system and to the metadata of the files themselves. This is not acceptable when making a forensic image.

2. Any tool that compares file hashes to the KFF database, such as The Sleuth Kit or any of the other suites, can help identify known pornographic files. String search tools, such as strings or GREP, can let you do keyword searches for specific names of people or states. In order to locate deleted files, a data carving utility can locate header and EOF markers for known file formats.

3. Most file systems do not wipe data from the hard disk when the user elects to erase a file. Instead, the space is merely reallocated for future use. The raw data continues to exist on the surface of the medium.

4. Slack space is disk area that is part of an allocated cluster or partition that cannot be used because the file system cannot directly address it for new data. In file slack, this is because the cluster is occupied by a file that does not use the entire cluster. The space it doesn’t use is slack. In a partition, it is space that exists between multiple partitions on a disk. Unallocated space is space that is available to the file system but not yet assigned to a specific file—or no longer assigned to a file, in the case of a deleted file. Just because this space isn’t addressed by a file system does not mean that it can’t hold data.

5. Utilities that can directly access disk space can copy unallocated space as a file. Additionally, a disk image is a single file that holds the entire contents of the target disk, including unallocated space. Either way, data carving utilities can be used to rebuild files or disk editors can be used to copy data from unallocated space into a file that can be read by the system.

2. There really isn’t much of a difference between headers and magic numbers. Both are useful in identifying what kind of file follows. A key difference is that magic numbers are generally a fixed length, whereas file headers vary widely in length.

3. MAC information is easily modified by the user. Many utilities can be downloaded off the Internet for this purpose. Additionally, a large number of file system activities, such as Copy and Move, alter MAC information in different ways. Investigators should always take care to corroborate MAC information in a file in other ways, such as system logs.

4. Word stores both substantive and embedded metadata. This includes information about the user who created the file and any user who edited it. You can see when a file was last saved or when it was last printed. If the “last printed” date falls before the Create date on the file, you know that the MAC data has been modified somewhere along the line. If other user information exists in the substantive metadata, then you know that the possibility exists that the file was modified, copied, or printed.

5. The list of temporary files isn’t quite infinite, but it is certainly very long. The critical ones include autosave files, automatic backups, temporary Internet files, history files, and cache files created by applications. Many times, a document that was deleted leaves behind autosaves or backup files. These can be used to show what the contents of the file were at the time the backup was made. Such information proves that the document existed and what type of information it contained. It also may prove whether or not the document was edited somewhere along the line.

2. Every e-mail contains information about every relay server it encountered. So even if the originating IP address is forged, the first SMTP server to relay it will most likely be authentic. This at least gives you the IP of the ISP.

3. Today’s e-mail clients store much more than just messages. They contain address books, store the attachments that accompanied the original messages, and hold a lot of information about e-mail traffic. Additionally, there might be calendars and notes utilities built into the client that can provide a great deal of information. To extract this information, you need to know first of all where the files are held and what their default names are. Second, you need to have a utility that can extract and analyze these files unless you can mount the information store on a machine with the same client.

4. Precision is the ratio of true positives to false positives in a search. A search that yields 40 false positives for every 100 “hits” on a search only has a precision ratio of 60%. Recall is the percentage of actual documents retrieved, compared to the number that actually exists. The latter is very difficult to measure. If 100 documents related to the “Barney’s Friends” search are turned up, yet 200 actual documents exist, you have a recall rate of 50%.

5. Nslookup will resolve a host name to an IP address, or vice versa. WHOIS will tell you a great deal of information about any machine or IP address registered in its database.

2. The VisitType field tells you if a site was reached by a redirect.

3. A common defense for people who have been discovered with contraband on their machine is, “I had no idea that was there!” Unless the prosecution can prove otherwise, there remains a reasonable doubt. A site may show up in their browser history as a result of a redirect, or a guest in their home may have used their machine for nefarious purposes. By showing that a person took a specific activity against a file, such as moving it, copying it, or deleting it, then there is evidence that the person knew the file was there to begin with.

4. Pop-up bombs occur when a user visits a Web site, which then instantly redirects the browser to multiple sites that the person probably has never even heard of. If a person under investigation actually was the victim of a pop-up bomb, it could appear that he or she visited a number of questionable sites during a single browser session.

5. Server log files will track a user’s session from the beginning, when they first log on, until the moment they log off. These files can tell you what sites they logged onto, how long they were on each site, and how many levels deep into a Web site they browsed. Times and dates of each event are logged, so server logs can be used to generate a time line. They also log authentication failures. If a person is trying to hack into a site or a remote machine, it will appear as multiple authentication failures.

2. A keylogger collects every strike of every key into a file. While it is not super-easy to analyze, it is not overly complicated either. A user who types a password into the system while a keylogger was enabled has just told you the password.

3. Standard mode filters out any packets not intended for the IP address configured onto the interface. Promiscuous mode processes everything, whether intended for that address or not.

4. A node-to-node communication will let you analyze traffic between two specific hosts, whereas node-to-any analyzes all traffic from a particular node, regardless of its target. Node-to-node allows you to analyze specific conversations, whereas node-to-any allows you to analyze patterns, habits, and so forth.

5. Router and switch information can corroborate information found in other sources. For example, the MAC data from a file might indicate that it was created on May 3 at 9:03:22AM. If the suspect is being investigated for pilfering information and you can demonstrate that this file existed on a secure location and that the user was logged on at that time, you corroborate that the file was moved at that time. Connection logs tell you what network connections were made from that user’s host device during that time frame, so you can demonstrate that a network connection to the secure file was made during that time frame. While circumstantial, it is still convincing evidence that the suspect indeed copied the file from that location.

2. If a warrant only defines the computers owned by the suspect identified in the warrant, and that person employs cloud computing, then the warrant will allow you to seize all of their hardware, but the data and applications won’t be on that hardware, so you have seized nothing of value. A warrant must be issued against the service provider, ordering them to turn over all virtual machines and data stores contracted by the suspect.

3. With virtualization, a single physical computer (or a cluster of networked servers acting as a single entity) hosts an application that allows a large number of “pretend” machines to be configured. Each one of these configured machines have their own I/O, their own storage, their own virtual network cards, and their own computer names. These virtual machines can be servers, or they can be workstations. They can even be virtual switches and virtual routers, creating virtual networks. In a forensic investigation, only the machines identified in a warrant or subpoena may be targeted. Other machines that exist on the same server must be ignored.

4. A document imaging system stores all of the actual documents in large cabinet files with archaic names. The master database files and the index files tell the application how to locate actual documents and pages within documents. Without them a CAB file is very difficult to break down.

5. Virtual machines exist as “instances” on a server. That instance can be copied as an image file the same way a disk from a regular computer can be imaged. Once that image has been captured, it is analyzed the same as any other disk image.

2. A PIN is a personal identification number. Therefore, a PIN number is a personal identification number number, which is grammatically incorrect, so you should never call it a “PIN number.” The PIN is used as an authentication device to increase the security on a telephone or a bank card. A user types her PIN to gain access to her phone. If she types it incorrectly a certain number of times, the device is locked and nobody can get in. PUK is the PIN unlock key, which is a separate code that allows a user to unlock a device that has been disabled by incorrectly typing in a PIN a certain number of times.

3. Since cell phones are by definition network devices, it is possible for someone with the right tools and expertise to connect to the phone remotely and wipe it clean to prevent a forensics team from uncovering evidence. By keeping the phone off the network, this possibility is greatly reduced.

4. Without a Faraday bag, a phone can be taken off the network by removing the SIM card. Some phones also have a feature called airplane mode that takes the device off the network so that it does not interfere with the communications devices on an aircraft.

5. Two sets of circumstances would automatically lead to cell phone confiscation without a warrant. The first of these is a seizure at the time of an arrest. Courts have repeatedly supported law enforcement’s right to conduct search and seizure incident to arrest. The second is if the phone is in plain sight and it is evident from on the screen that the device was used in a suspicious manner.

2. In the registry, the most recently used (MRU) lists identify the last several files that were opened by a particular user or application. There is a large number of MRU entries in the registry, and the same event can be recorded in more than one. For example, a user has a file that appears in the KFF registry, but deletes it and subsequently uses a DoD wipe utility to permanently erase it. The fact that the MRU shows that file name as a recently opened file indicates that it once existed on the system and it may be possible from other registry entries to connect the file to a specific user. Additionally, applications that are uninstalled from a system do not necessary remove their hives from the registry. A hive in the registry for a known hacking tool can demonstrate that the program once existed, but was uninstalled.

3. Temporary files include automatic backup files, work files, and autosave files. There are also various log files generated by programs. Many times, a document that was deleted leaves behind autosaves or backup files. These can be used to show what the contents of the file were at the time the backup was made. Such information proves that the document existed and what type of information it contained. It also may prove whether or not the document was edited somewhere along the line.

4. Expandable String Value keys can store large amounts of text. Multistring value keys can store information such as telephone numbers or text.

5. An alternate data stream is a virtual link between two files. The host file is the one seen by the operating system. The alternate stream points to another file that exists inside of the host file, but is not actually a part of it. It exists as an attribute of the host file. Since the ADS file does not exist as part of the file system, it does not appear in Windows Explorer or any other file system utility. The Streams utility from SysInternals detects alternate data streams.

2. As soon as there is any indication that litigation is on the horizon, a litigation hold should be issued. Anybody in the organization with access to relevant information should be advised and the IT staff should immediately be alerted to cease any automatic file purging related to document retention policies that might be in effect.

3. There are two clearly evident forms of spoliation. First, any destruction of a document that violates any statute would be considered spoliation, even if there isn’t pending litigation. Second, any data destroyed in the face of pending litigation can be considered spoliation even if it occurs prior to a litigation hold order. If opposing counsel can demonstrate that the spoiling party knew they were about to be sued and got rid of all the incriminating evidence in advance, the court can find them guilty of spoliation.

4. Near-line data is any information that can be readily accessed through existing systems, even if not directly connected to a system being searched. This is in contrast to online data that exists on the system. Online data would include information stored on the hard drive. Near-line data is information that is easily accessed but not stored on the computer. This would include media such as CD-ROMs, flash drives, and external hard disks. Inaccessible data is information that can only be extracted through specialized processes, such as deleted files and encrypted tape backup files. Offline storage is that middle ground where the data is easy enough to get, but in a location that might provide challenges. This would include Internet locations (cloud storage, etc.), SAN or NAS volumes, and so forth.

5. The review of data requires that numerous individuals (most of them highly paid individuals such as lawyers and accountants) go over evidence one file at a time and identify which ones are evidence and which ones are protected. While most of the other processes are somewhat automated, this step is completely manual and very time consuming.

2. Treat triage just as you would if it were a battlefield. Determine as quickly as possible if any of the threats would have an impact on someone’s health or life. This sounds exaggerated, but in fact, if you are dealing with medical records, that may be more realistic than you suppose. Next, decide if there are any actions that must be taken to protect data or infrastructure. Personal and financial data must be secured.

3. Crime scene preservation would include securing and protecting any devices or media that could contain evidence. Don’t let anything “get away,” either through malfeasance or negligence. Survey the scene to determine if there is anything of value that is not readily apparent to the naked eye and be VERY careful that you do not trample on evidence that other teams might need for their aspect of an investigation. Document everything you see, everything you touch, everything you examine, and everything you take. Photograph everything and take careful notes. Search the area carefully for hidden evidence (such as CDs, flash drives, and so forth). Lastly, try to reconstruct what happened.

4. Evidence handling is crucial to any investigation. If opposing counsel can demonstrate that there was even a miniscule possibility that evidence could have been tampered with, corrupted, or altered in any way, they can have that evidence disallowed. The chain of custody is a critical document for demonstrating that evidence was properly cared for as long as it was in your possession.

5. The final report will contain copies of all documents requesting the investigation, copies of authorizations to proceed, warrants, and subpoenas. Inventories of all items touched by the team must be provided, along with a chain of custody report that includes each of those items. All case logs and notes generated by the team are included. All photographs made throughout the investigation, and lastly, the conclusions made by the investigation, must be provided.

2. The four standards are accuracy, verification capability, consistency, and usability. Without accuracy and consistency, a tool is totally useless. You cannot trust the results. Without verification capability, you can’t really tell if you have accuracy or consistency, so the tool continues to be totally useless. Lack of usability doesn’t make it totally useless. It simply means you need someone with a huge amount of training to use it.

3. Event viewer is a system level log generator that collects several different logs. The three most critical to the investigator are the System, Application, and Security logs. From these logs, you can tell when a particular user was logged onto the machine. You can see failed authentication attempts, and you can track the number of times data was copied to removable storage. Additionally, you can see when an application was installed or uninstalled from the system.

4. Virtually all of the commercial forensic suites have already been tested for accuracy and reliability. Since they are readily available to anyone who has the money to buy them, their verification capacity cannot readily be challenged. Also, all of them provide some level of training, ranging from free support to paid formal classroom sessions. This greatly enhances the usability rating for a commercial suite. Add the fact that most of them have been tested by NIST, and there is a lot on the plus side to buying a commercial suite.

5. Unless you use a write-protect device or can demonstrate that you write-protected the device through a software setting, you cannot demonstrate beyond a shadow of a doubt that critical data on the system was not overwritten.

2. The amount of onboard L1 and L2 cache greatly affect speed. A significant performance boost is gained by increasing the speed and width of the front side bus.

3. Since the system board dictates what kind of memory is supported, the memory sticks must be chosen based on what that board supports. In the event that a board supports either error correction code memory or not, it should be remembered that ECC tends to slightly degrade performance. The highest bus speed that the chosen CPU and board support should be selected. If multichannel RAM is supported, then as many channels as possible, using as much memory per channel as possible, should be configured.

4. Hot-swap bays allow a user to add and remove hard disks on the fly without shutting down the system. Since a forensic analyst is always looking at different disk drives, this is a valuable addition.

5. 32-bit operating systems do not support as much RAM as do 64-bit systems. Additionally, because twice as much data is transferred on each clock cycle of the CPU, 64-bit systems perform faster. However, a 64-bit OS requires a 64-bit processor, chipset, and so forth. So installing a 64-bit OS onto a 32-bit system won’t work. You can install a 32-bit OS onto a 64-bit system with no problem. If you need a 32-bit OS for any reason, it would be good to configure a 64-bit system to dual-boot with a 32-bit system on a 64-bit machine.

2. GIAC offers the Certified Forensic Examiner and the Certified Forensic Analyst certifications. The GCFE is considered the “entry-level” exam and is targeted at people who are new to the field. The GCFA requires significantly more expertise in order to pass and is targeted at the seasoned professional

3. Hard skills are generally technical in nature. Fine-tuned skills, such as an ability to analyze memory, an advanced knowledge of operating system structure, and so forth, are considered hard skills. Soft skills are often the ones that a person develops throughout life. Such skills would include an ability to communicate well, good observation skills, and such.

4. The ENCE is the Guidance Certified Examiner certification. It tests a candidate’s ability to use Encase software in a general forensic examination. The ENCEP is the Certified eDiscovery Practitioner. As the name implies, it is targeted at those whose primary job entails fulfilling discovery motions in legal cases.

5. Every state has its own set of regulations that dictate whether a license to practice digital forensics is required. Some do not have any such requirement at all. Of those that do, some of them make the licensing requirement part of their overall requirements for licensing private investigators. Some states require that you pass exams; some do not. To find out what your state’s requirements are, contact your state’s attorney general’s office and ask for guidance.

2. For the most part, “one-time” costs are the expenses you incur in the process of creating a new business or department. Such expenses would include real estate development, building improvements, equipment purchases, and so forth. Recurring costs are those that that must be paid out on a regular basis. Salaries, rent, loan payments, insurance premiums, and so forth all qualify as recurring costs. However, some of the one-time costs are really one time. Computer systems will require regular upgrades, and it is likely that training costs will reappear from time to time.

3. There should be a policy manual that defines employee expectations. Hiring policies and training policies would fall into this category. Procedurally, there should be strict policies defined for data retention, naming standards, and documentation procedures.

4. Most organizations will not be able to justify maintaining a professional level of service and training for every form of digital investigation that exists. Occasionally, it might be necessary to go outside the organization for things like extracting data from fried hard disks, legal consultations, or specific forms of data acquisition. For example, not everyone will have a telephone analyst or a skilled memory analyst. It is a good idea to know where to hire those services out when necessary.

5. One way to show the value of an in-house department is to “bill” other departments for services based on net value. That way you’re moving the cost basis from one department to another without cash actually changing hands. At the end of the year, you prepare an annual report showing what your services would have cost the organization had they been outsourced.