* (asterisk), in string searches, 180
@ (at sign)
in e-mail addresses, 187
in passwords, 349
“ ” (double quotes), Boolean operator, 205
$ metadata file, 136
– (minus sign), Boolean operator, 205
+ (plus sign), Boolean operator, 205
8.3 file names, 134
32-bit vs. 64-bit forensics workstations, 432, 438
The A+ Guide to PC Hardware Maintenance and Repair, 423
Abbot Papyrus, 379
Absolute direct addressing, 125
Abstraction layers
lossless, 399
lossy, 399
Access attribute, 160
Access Data Corporation
certification program, 450–451
EDiscovery, 408
SilentRunner, 408
Access Data Corporation, FTK (Forensic Tool Kit)
creating timelines, 19
e-discovery, 370
EWF support, 124
live capture of registry entries, 331
Access log, 243
AccessData Certified Examiner (ACE), 451
AccessData Mobile Examiner (AME), 451
Accessible data
definition, 511
forensics workstations, 425
Accused. See Defendant.
Accuser. See Plaintiff.
ACE (AccessData Certified Examiner), 451
Acquisition. See also Cell phones, acquisition; Data acquisition.
and preparation for final report, 391–392
window for evidence collection, 255
Active measures, detecting, 227–230
Active@KillDisk (AKD), 108
Addonics, 437
Address book folder, 191
Addressable memory vs. system, 114–115
Adhesive labels, 421
Admissible/admissibility, 511
Adroit Photo Forensics, 146
ADS (alternate data stream)
definition, 511
Advanced Test Products, 415
AFF (Advanced Forensic Format), 126
definition, 511
of probable cause, 36
Agent of the government
definition, 511
in the Fourth Amendment, 25–26
Aguilar v. Immigration and Customs Enforcement, 157–158
Airplane mode, cell phones, 319
AKD (Active@KillDisk), 108
AMD processors, 431
AME (AccessData Mobile Examiner), 451
Amendments to the Constitution, 24. See also Fifth Amendment; First Amendment; Fourth Amendment.
American Society of Crime Laboratory Directors/Laboratory Crediting Board (ASCLD/LAB) certification, 481–483
Analysis, description, 6–7. See also Browser history analysis.
Analysis and Review package, 372
Analyzing proxy server logs
Sawmill utility, 244
WebTrends utility, 243
Analyzing Web server logs
centralized logging, 238
epoch time conversion, 237–238
logging per server, 238
rotating logs, 237
W3C fields, 237
AND operator, 204
Andrus, U.S. v., 83
Anonymous remailers, 254
Antiforensics. See also Artifact destruction; Hiding data.
definition, 512
Apache Systems
OpenOffice suite, 439
Web server logs. See Web server logs, Apache files.
Apparent authority
definition, 512
description, 47
Application logs, 263, 264–268
Appropriation of name or likeness, 30
overview, 328
Artifact destruction, extracting registry history
deleted applications, 330
HKEY_USERS, Windows registry, 328–331
installed software, by user, 331
MRU (most recently used) files, 328–331
SID (Security Identifier), 329
tools, 331. See also specific tools.
Artifact destruction, file system metadata
DCO (Device Configuration Overlay), 331
event logs, 331
MFT (Master File Table), 332–335
NTFS metafiles, 333
string search, 333
Artists Against 419, 88
ASCLD/LAB (American Society of Crime Laboratory Directors/Laboratory Crediting Board) certification, 481–483
Assessment. See Identification/assessment.
Assumed permission, 48
Asterisk (*), in string searches, 180
At sign (@)
in e-mail addresses, 187
in passwords, 349
Atech Flash Technology, 437
Attachment statistics, e-mail analysis, 207
Attorney/client privilege, 64–65
$AttrDef metadata file, 136
Audit trails, privacy legislation, 57
Audits, 512
Authentication
DD (bit for bit) images, 124
definition, 512
computers as containers, 79
consent search doctrine, 81–83. See also Warrantless searches, with consent.
digital evidence, 95
forensics workstations, 425
inadvertence approach, 78
multiple users on a computer, 80–81, 83
password-encoded accounts, 80–81, 88
proactive evidence collection, 254–255
Authority to consent to search
erroneous assumption of, 83
Autoruns, 404
AVG Antivirus logs, 268
AWSTATS log, 236
Bad clusters, hiding data, 181–182, 339
$BadClus metadata file, 135–136, 182, 339
Baron, Jason, 205
Base addresses, 125
Base Station Controller, 310
Base Transceiver Station, 310
Bates numbering, 512
Bates numbering, 376
Batteries, removing and handling, 103
Bee Docs, 20
Bellar, State v., 302
Bill of Rights, 24
BIN (Centralized Binary) Web server logs, 234
Binary metadata vs. human-readable, 156
Bit for bit (DD) images
authentication, 124
data acquisition format, 124
file splitting, 124
$Bitmap metadata file, 136
BlackBag technologies, 321
Blackburn, Robert, 75
BlackLight, 321
Blanket search, 252
Block, U.S. v., 81
Blogs, First Amendment protection, 28–29
Blue screen snapshots of memory, 112
Body file, 163
Books and publications
Computer Forensics: Incident Response Essentials, 2
Crime Investigation: ...and the Police Laboratory, 93
Cyber Forensics: A Field Manual..., 91
Electronic Crime Scene Investigation:..., 91
Guidelines for Evidence Collection and Archiving, 112
A Hardware-Based Memory Acquisition..., 119
PC Hardware Maintenance and Repair, 417
PMBOK (Project Management Book of Knowledge), 14
“Privacy,” 30
Records, Computers, and the Rights of Citizens, 56
The Right to Privacy, 30
Searching and Seizing Computers..., 64–65, 67
Steganografia, 350
Boolean operators
definition, 512
$Boot metadata file, 136
Bradley Joseph Steiger, U.S. v., 86–87
Branzburg v. Hayes, 28
Breadth of search, 84, 512. See also Scope of search.
British Government, metadata incident, 167–168
Broadband network access, cloud computing, 278
Browser engines, 216
control of digital material, 226–227
counting contraband, 230
DAT files, displaying, 221
detecting active measures, 227–230
detecting malware, 227
establishing user actions, 224–230
evidence of deleted files, 223
fast meta refresh, 224
goal of forensic analysis, 222
HTTP 300 message, 224
identifying specific records, 221
job of the investigator, 222–224
knowledge of possession, 222–224
MFT (Master File Table), 223
MFT metadata, effects of deleting files, 229
for multiple users, 224
pop-up bombs, 224
present possession concept, 222
sorting records, 221
timeline, creating, 227
tools, 221, 223, 225, 227, 230, 233
Trojan horse defense, 227
user intent and control, 226–227
Website Profiler, 233
Browser history analysis, tools for
BUTIL, 243
The Coroner’s Toolkit, 233
CSAUDIT, 243
Directory Snoop, 223
e-mail analysis, 206
Log Parser 2.2, 236
MAC analysis, 163
Metadata Analyzer, 181
NWAdmin, 243
ODBC, 243
Pasco, 221
proxy server log analysis, 243–244
Registry Analyzer, 178
Sawmill, 244
summary of, 230
WebTrends, 243
Browsers. See Web browsers.
Browsing Web sites. See Web browsers.
Brute-force attacks, password cracking, 349
Buckner, Frank Gary, 82
Buckner, Michelle, 82
Burden of proof, 5
Business change control, 476–477
Business of forensics. See Starting a shop.
Business Wire, 450
BUTIL, 243
Cables and connectors, evidence handling, 104
Cache log, 243
Cached browser history, 219
Cached files, location of, 219
Caching browser information, 216
Cain and Abel, 349
Canon Imageware, 298
Captain Nemo, 409
Capture, 408
Carriers, steganography, 351
carver-recovery, 149
Carvey Harlen, 331
CascadeShark, 255
Case logs
definition, 512
for software tools, 412
Case management
ancient example of, 379
file-naming conventions, 381–382
frameworks, 380
presenting the results, 388–389
teams, 382
threat assessment, 381
Case management, investigation stage
crime scene management, 385–386
lab preparation, 386
Case summary, final report, 391
Casey Marie Anthony, State of Florida v., 224
CCE (Certified Computer Examiner), 448
CDFE (Certified Digital Forensic Examiner), 445–446
CDMA (Code Division Multiple Access), 310
CDs, evidence handling, 103
Cell phones. See also Mobile devices.
Base Station Controller, 310
Base Transceiver Station, 310
CDMA (Code Division Multiple Access), 310
charging, 319
cocktail effect, 310
device information, retrieving, 315–317
differentiating between users, 310
GPS (Global Positioning System), 311–313
GSM (Global System for Mobile Communications), 310–311
HLR (Home Locator Register), 310
location, determining, 311–313
MSC (Mobile Switching Center), 310
passwords, extracting, 320–321
permanently blocked, 315
removing moisture from, 321
setting to airplane mode, 319
TDMA (Time Division Multiple Access), 310–311
VLR (Visitor Locator Register), 310
recovering deleted data, 320–321
reporting software, 321
screen capture, 320
SITA (search incident to arrest), 317
tools, 317–321. See also specific tools.
Cell phones, cellular towers
Cell phones, data storage
blocking communication, 318–319
cloning SIM cards, 320
ESN (electronic serial number), 315
ICCID (Integrated Circuit Chip Identifier), 315
IMEI (International Mobile Equipment Identity), 315–316
MEID (mobile equipment identifier), 315–316
micro-SIM cards, 314
mini-SIM cards, 314
overview, 313
PIN (personal identification number), 314
portable charging devices, 318–319
PUK (pin unlock key), 314
radio frequency isolation, 318–319
RAM (random access memory), 315
ROM (read-only memory), 315
SIMless phones, 314
TAC (Type Allocation Code), 316
tools, 319. See also specific tools.
Cellboost device, 319
Centralized Binary (BIN) Web server logs, 234
Centralized logging, 238
areas of competency, 442
licensing requirements, 451–452
Certification, vendor-neutral programs
CCE (Certified Computer Examiner), 448
CDFE (Certified Digital Forensic Examiner), 445–446
DFCB (Digital Forensics Certification Board), 446–447
Digital Forensics Certified Associate, 446–447
Digital Forensics Certified Practitioner, 446–447
fees, 447
GCFA (GIAC Certified Forensic Analyst), 443–444
GCFE (GIAC Certified Forensic Examiner), 443–445
GIAC (Global Information Assurance Certification), 443
GIAC Reverse Engineering Malware, 443
hard skills, 445
ISFCE (International Society of Forensic Computer Examiners), 448
MFCE (Mobile Forensics Certified Examiner), 448
MFI (Mobile Forensics, Inc.), 448–449
overview, 442
soft skills, 445
Certification, vendor-specific programs
ACE (AccessData Certified Examiner), 450–451
AME (AccessData Mobile Examiner), 451
Business Wire, 450
Encase forensic suites, 450
ENCE (Encase Certified Examiner), 450
ENCEP (Encase Certified eDiscovery Practitioner), 450
Guidance Software, 450
overview, 450
PCFE (Paraben Certified Forensic Examiner), 452
PCME (Paraben Certified Mobile Examiner), 452
Certified Computer Examiner (CCE), 448
Certified Digital Forensic Examiner (CDFE), 445–446
CFTT (Computer Forensics Tool Testing), 411
Chain of command, crime scene, 96–97
case law, 21
definition, 512
documenting, 20
sample forms, 509
Change control
Child pornography. See also Pedophiles.
inadvertent discovery, 78
Chimel v. California, 45
Cisco Router Evidence Extraction Disk (CREED), 271
Civil action, definition, 512
Civil cases
defendants, 1
mobile device forensics, 323–324
plaintiff, 1
Civil investigations
definition, 1
timelines, 9
types of attacks, 9. See also specific attacks.
Class characteristics of evidence, 94
Clearing and Sanitizing Matrix, 142
Client-server networking, cloud forensics, 288–289
Clients. See E-mail clients.
Cloning SIM cards, 320
Closed container, definition, 512
Closed container clause, 27, 38–39. See also Computers as containers.
Cloud computing. See also Virtualization.
broadband network access, 278
characteristics of, 278
community cloud, 279
definition, 277
elasticity, 278
hybrid cloud, 279
measured service, 278
on-demand service, 278
public cloud, 279
resource pooling, 278
Cloud computing, service models. See also specific models.
hosted application management, 282
IaaS (Infrastructure as a Service), 280–282
PaaS (Platform as a Service), 284
SaaS (Software as a Service), 282–284
SSO (single sign-on) security, 283
Cloud forensics
checklist of questions, 286
client-server networking, 288–289
cloud structure, overview, 287
computational model, 287
document imaging systems, file naming conventions, 296–297
documents vs. metadata, 285
elasticity, 287
jurisdictional issues, 285
lack of physical disks, 285, 290–291
P2P (peer to peer) networking, 288
protecting non-targeted information, 290–291
real-time monitoring, 291
recovering deleted data, 291
reproducible methods, 285
stateful applications, 289
stateless applications, 289
Cloud forensics, constitutional issues
ESCA (Electronic Stored Communications Act), 301–302
Fifth Amendment issues, 303
forced surrender of passwords, 303
Fourth Amendment issues, 301–302
reasonable expectation of privacy, 302
Cloud forensics, technical aspects
capturing virtual machines, 299–300
collecting artifacts, 296
database transaction logs, 298
LDF (log data file), 298
MDF (master database file), 296, 298–299
CLSID (Content Class Identifier), 192, 512
Clusters
definition, 513
Microsoft file system, 133, 138–140
Cmty. Health Sys., Inc, U.S. ex rel. Baker v., 66
Cocktail effect, 310
Code Division Multiple Access (CDMA), 310
Collecting evidence. See Data acquisition; E-discovery, data collection; Evidence handling.
Collecting live information, 103, 104
Commands
#copy startupconfig tftp, 272
#dir slot, 272
history, listing, 272
net sessions, 262
net share, 262
net use, 262
netstat, 262
piping, 124
router and switch forensics, 271, 272
#show history, 272
#show users, 272
Common Log fields, 240
Common Log (NCSA) Web server logs, 234
Communications model, cloud forensics, 288–290
Community cloud, 279
Competence of evidence, 74–76, 513
Competent, definition, 513
Comprehensive Drug Testing, U.S. v., 44, 78–79
Computational model, cloud forensics, 287
Computer crimes
characteristics of, 10
types of attacks, 9
Computer Forensics: Incident Response Essentials, 2
Computer Forensics Tool Testing (CFTT), 411
Computer power, forensics workstations, 424
Computer science vs. digital forensics, 92
Computer Watchdog, 251
Computers as containers. See also Closed container clause.
admissibility of evidence, 79
authenticity of evidence, 79
plain view doctrine, 79
Computers for forensics work. See Forensics workstations.
Concept extraction, e-discovery, 371–372
Concept searching, e-mail searches, 207–208
Conclusion, final report, 392–393
Configuration log, 243
Consent exception, proactive evidence collection, 252
Consent search doctrine. See also Warrantless searches, with consent.
authenticity of evidence, 81–83
case law, 82
Consent to warrantless search. See Warrantless searches, with consent.
Constitution of the United States
amendments, 24. See also Fifth Amendment; First Amendment; Fourth Amendment.
Bill of Rights, 24
modifications to, 24
privacy rights, 55
Constitution of the United States, limits of
constraints on evidence, 75
jurisdiction in cyberspace, 85–86
self-incrimination, 27. See also Fifth Amendment issues.
Constitutional issues, cloud forensics
ESCA (Electronic Stored Communications Act), 301–302
Fifth Amendment issues, 303
forced surrender of passwords, 303
Fourth Amendment issues, 301–302
reasonable expectation of privacy, 302
Consumer Reporting Agencies (CRA), guidelines for, 60
Contamination teams. See Taint teams.
Content Class Identifier (CLSID), 192, 512
Context triggered piecewise hashing (CTPH), 369–370
Contraband, counting, 230
Control of digital material, 226–227
Cookies
definition, 217
storage location, 219
#copy startupconfig tftp command, 272
Copyright infringement, 29
The Coroner’s Toolkit, 233
Corporate departments as revenue source, 480–481
Cost justification, starting a forensics shop, 480–481
Costs. See also Revenue sources.
facilities improvement, 466
starting a forensics shop, 462–466
Court approval of software tools, 410–413
Cover files, steganography, 351
Covert data, definition, 347, 513. See also Hiding data.
Covert data, encryption
BitLocker Drive Encryption, 347
DESX (Data Encryption Standard eXORed), 347
EFS (Encrypting File System), 347
methods of, 347
smart cards, 347
Covert data, steganography
algorithms, 351
carriers, 351
cover files, 351
detecting, 354
dictionary attacks, 354
filtering, 351
lossless compression, 350
lossy compression, 350
LSB (least significant bit) insertion, 351
masking, 351
messages, 351
null cipher, 354
overview, 350
redundant pattern encoding, 351
signatures, 354
stegoimage, 351
stegokey, 351
tools, 351–354. See also specific tools.
transformations, 351
CRA (Consumer Reporting Agencies), guidelines for, 60
Crack, 349
Cracking algorithms, password cracking, 349
Credibility of evidence, 74, 513
Credible, definition, 513
Credit reports, privacy legislation, 60
CREED (Cisco Router Evidence Extraction Disk), 271
Crime Investigation: ...and the Police Laboratory, 93
Crime scene management, 385–386
Crime scenes. See also Digital evidence; Evidence.
BitLocker encryption, 98
concealed passwords, 100
Faraday bags, 98
identifying data sources, 99–100
laser printers, 100
missing devices, 99
safety, 97
scan once/print many devices, 99
USB devices, 98
Criminal action, definition, 513
Criminal cases
defendants, 1
plaintiff, 1
Criminal investigations
definition, 1
CSAUDIT, 243
CSI Effect, 91
CTPH (context triggered piecewise hashing), 369–370
Curriculum vitae, 513
CV (curriculum vitae), 31
Cyber Forensics: A Field Manual..., 91
“Dance hall proprietor vs. landlord” argument, 29
Dark data. See also Hiding data.
definition, 513
DAT files, displaying, 221
Data abstraction layers
lossless, 399
lossy, 399
Data acquisition. See also Cell phones, acquisition; E-discovery, data collection.
blue screen snapshots of memory, 112
.DMP files, 112
Guidelines for Evidence Collection and Archiving, 112
imaging process, legal argument for, 123
order of volatility, 112
from original data, 111
priority list for, 112
absolute direct addressing, 125
base addresses, 125
encrypted devices, 122
offsets, 125
password recovery, 122
types of media, 121
write-protected port replicator, 122
Data acquisition from media, file formats for disk images
AFF (Advanced Forensic Format), 126
DD (bit for bit) images, 124
EWF (Expert Witness Format), 124–125
IDIF (iLook Default Image Format), 127
IEIF (iLook Encrypted Image Format), 127
iLook, 127
IRBF (iLook Raw Bitstream Format), 127
summary of, 123
Data acquisition from memory and running processes
capturing, software for, 116
footprints, 116
A Hardware-Based Memory Acquisition..., 119
hardware memory capture, 119–120
hashing the memory image, 114
hooks, detecting, 117
kernel mode, 116
MAC data, modifying, 121
MD5 hash, calculating, 118
memory as a device, 116
paths to memory, 116
priority data, 114
SHA1 hash, calculating, 118
smear images, 116
software memory capture, 117–119
system memory vs. addressable memory, 114–115
user mode, 116
Data attribute, file metadata, 154
Data carving. See also File recovery.
carver-recovery utility, 149
DFRSW (Digital Forensics Research Workshop), 146
false positives, 146
files embedded in other files, 146
fragmented files, 146
overview, 145
Scalpel utility, 149
SmartCarving, 146
Data collection, cloud forensics, 285, 290–291
Data Encryption Standard eXORed (DESX), 347
from slack space. See Data carving.
from unallocated space. See Data carving.
Data recovery, cell phones, 320–321. See also File recovery.
Data retention, policies and procedures, 471–472
Data sources, crime scene, 99–100
Data wiping utilities, 108–109
Database activity logs, 266
Database transaction logs, 298
Daubert v. Merrel Dow Pharmaceuticals, 317, 401
David, U.S. v., 39
DCO (Device Configuration Overlay), 331
DD (bit for bit) images
authentication, 124
data acquisition format, 124
file splitting, 124
dd utility, 108
DDR (dual data rate) memory, 432
Debt collection, privacy legislation, 62
Decryption Collection, 408
in civil cases, 1
in criminal cases, 1
definition, 513
as stakeholder, 12
Deleted applications, extracting registry history, 330
Deleted documents, proving existence of, 159–162
Deleted files. See also Data recovery; File recovery; Recycle Bin.
browser history analysis, 223, 227–230
Deleting e-mail messages, 191
Deleting files. See also Recycle Bin.
Clearing and Sanitizing Matrix, 142
Department of Defense specifications, 142
hidden files, 142
INFO file, 142
INFO2 file, 142
temporary files, 175
Dentries, UNIX/Linux file systems, 137–138
Department of Defense specifications, data destruction, 142
Deployment models, cloud computing, 278–279
acceptable destruction methods, 142–143
AKD (Active@KillDisk), 108
Clearing and Sanitizing Matrix, 142
data wiping utilities, 108–109
dd utility, 108
Department of Defense specifications, 142
Disk Scrub utility, 109
during graceful shutdown, 143
Shred utility, 108
WIPE.EXE utility, 108
DESX (Data Encryption Standard eXORed), 347
Device Configuration Overlay (DCO), 331
Device Seizure, 321
DFCB (Digital Forensics Certification Board), 446–447
DFRSW (Digital Forensics Research Workshop), 146
Dictionary attacks, steganography, 354
Digital Assembly, 146
Digital audio recorder, 420
Digital camera, as forensic tool, 419–420
Digital evidence. See also Crime scene; Digital forensics.
authenticity, 95
class characteristics, 94
individual characteristics, 94
latent, 94
longevity, 95
obtaining legally, 96
patent, 94
relevance, 96
reliability, 95
stability, 95
Digital forensics. See also Digital evidence.
vs. computer science, 92
Crime Investigation: ...and the Police Laboratory, 93
Cyber Forensics: A Field Manual..., 91
definition, 92
digital evidence vs. physical, 94–96
Locard’s exchange principle, 93
Digital Forensics Certification Board (DFCB), 446–447
Digital Forensics Certified Associate, 446–447
Digital Forensics Certified Practitioner, 446–447
Digital Forensics Research Workshop (DFRSW), 146
Digital Intelligence, 415
Digital Intelligence, forensics workstations, 425–427
Digital Millennium Copyright Act (DMCA), 29
#dir slot command, 272
Directed compound file, 335–336
Directory Snoop
browser history analysis, 223, 227
description, 409
examining metadata files, 135
restoring file under NTFS, 143–144
Disclosure, e-discovery, 361–363
Discoverable items, 14
Discovery. See also E-discovery.
definition, 513
Disguised files. See File recovery.
Disk Explorer for FAT, 409
Disk Explorer for NTFS, 409
Disk images, file formats
AFF (Advanced Forensic Format), 126
DD (bit for bit) images, 124
EWF (Expert Witness Format), 124–125
IDIF (iLook Default Image Format), 127
IEIF (iLook Encrypted Image Format), 127
iLook, 127
IRBF (iLook Raw Bitstream Format), 127
summary of, 123
Disk Investigator, 409
Disk Scrub, 109
DM (document management) systems, 164
DMCA (Digital Millennium Copyright Act), 29
.DMP files, 112
DNA testing, freeing the innocent, 95
DNS cache poisoning, 254
DocScrubber, 168
Doctor. See Physician.
Document management (DM) systems, 164
Documentation. See also Report writing; Reporting.
legal, preparing a list of, 4–5
levels of, 13
project management, 13
Documentation, levels of
chain of custody, 20
process, 18
Documenting
execution of search warrants, 41
Documents. See also Files.
authenticity, e-discovery, 375–377
DM (document management) systems, 164
imaging systems, file naming conventions, 296–297
management systems, e-discovery, 374–375
metadata, hiding data in, 166–175, 178–181
vs. metadata, cloud forensics, 285
preservation orders, 164
revision history, viewing, 168, 170–171
Doe v. U.S., 303
Domain, in e-mail addresses, 187
Domain name, querying e-mail by, 209–210
Double quotes (“ ”), Boolean operator, 205
DriveImageXL, 409
DriveLook, 409
Dual-channel memory, 432
Dual data rate (DDR) memory, 432
dumpchk.exe, 404
Duty to preserve, 362
DVDs, evidence handling, 103
analyzing potential data, 373–374
comparing hash values, 369–370
CTPH (context triggered piecewise hashing), 369–370
definition, 357
duplicates vs. near duplicates, 369–370
duty to preserve, 362
EDRM (Electronic Discovery Reference Model), 359–360
ESI (electronically stored information), 368–369
identifying target data, 361–364
information management, 360–361
metrics for potential data, 373–374
overview, 358
processing potential data, 370–371
production and presentation, 374–377
reasonable anticipation of litigation, 362
reviewing potential data, 372–373
rolling hash, 370
scope, 362
security of potential data, 372–373
trigger point, 362
determining completeness, 366
tools, 367–368. See also specific tools.
E-discovery, production and presentation
analyzing potential data, 375–377
Bates numbering, 376
document authenticity, 375–377
document management systems, 374–375
native format, 374
near-native format, 374
overview, 374
redaction, 376
unique identifiers, 376
multiple inboxes, 195
shared inboxes, 195
tracing sources, 202–203, 208–210
E-mail addresses
@ (at sign), 187
as passwords, 349
spoofing, 188
user domain, 187
user name, 187
E-mail analysis
domain name, querying by, 209–210
IP address, querying by, 208–210
address book folder, 191
common examples, 190
definition, 187
handling deleted messages, 191
mail folders, 191
.mbx folders, 191
overview, 189
.pst folders, 191
saving messages, 191
.wab folders, 191
E-mail information stores, e-mail servers
ACK (acknowledgement) packets, 195
DNS (Domain Name Services), 195
IMAP servers, 195
incoming messages, 195
message deletion, 195
NACK (nonacknowledgement) packets, 195
POP servers, 195
E-mail information stores, Outlook
overview, 193
PST files, 193
version history, 194
E-mail information stores, Outlook Express
CLSID (content class identifier), 192
file formats, 192
IDX files, 192
.mbx files, 192
MBX files, 192
NCH files, 192
overview, 192
version history, 192
E-mail information stores, overview, 191–192. See also specific stores.
E-mail Mining Toolkit (EMT), 206
E-mail protocols
ESMTP (Extended SMTP), 188
handshaking packet, 188
HELO packet, 188
IMAP (Internet Message Access Protocol), 189
incoming messages, 188
outgoing messages, 188
POP3 (Post Office Protocol 3), 188–189
port 25, 188
port 143, 189
SMTP (Simple Mail Transport Protocol), 188
analyzing search results, 205–206
attachment statistics, 207
companies involved in, 208
EMT (E-mail Mining Toolkit), 206
false negatives, 206
group communications, 207
histogram of account activity, 206
keyword searches, 205
precision, 206
recall, 206
recipient frequency, 207
similar users, 206
stationary user profiles, 206
tobacco industry, 205
tools for, 206
true negatives, 206
true positives, 206
warrants, 203
E-mail servers. See E-mail information stores, e-mail servers.
E-mail structure
header extraction, tools, 199–202
MIME (Multipurpose Internet Mail Extensions), 196
overview, 196
RE: prefix, 197
E-mail transport
clients, 187
e-mail servers, 187
MDA (mail delivery agent), 186, 515
MTA (mail transport agent), 186, 515
MUA (mail user agent), 186, 515
Eclipse device, 320
ECPA (Electronic Communications Privacy Act of 1986), 58–59
ECS (Electronic Communications Services), 58
EDiscovery, 408
EDRM (Electronic Discovery Reference Model), 359–360
Education, privacy legislation, 63–64
EFS (Encrypting File System), 347
EFSDump, 404
Egyptians, ancient case document, 379
8.3 file names, 134
Elasticity
cloud computing, 278
cloud forensics, 287
Electronic Crime Scene Investigation:..., 91
Electronic discovery, privacy legislation. See E-discovery.
Electronic information in the hands of a third party, expectation of privacy, 39–40
Electronic serial number (ESN), 315
Electronic Stored Communications Act (ESCA), 301–302
Electronically stored information (ESI), 368–369
EM (entry modified) attribute, 160–162
Embarrassing public disclosure, 30
EMT (E-mail Mining Toolkit), 206
Encase
creating timelines, 19
e-discovery, 370
forensic suites, certification program, 450
saving images in EWF (Expert Witness Format), 124
Encase Data, 118
Encase Enterprise, 234
Encase Forensics, 408
ENCE (Encase Certified Examiner), 450
ENCEP (Encase Certified eDiscovery Practitioner), 450
Enclosures for forensics workstations, 430
Encrypted devices, data acquisition from, 122
Encrypting File System (EFS), 347
Encryption
DESX (Data Encryption Standard eXORed), 347
EFS (Encrypting File System), 347
methods of, 347
smart cards, 347
Endace, 255
EndaceExtreme, 255
Energizer device, 319
Entry modified (EM) attribute, 160–162
Environmental Law Publishing, 72
EO1, 118
Epoch time conversion, 237–238
Equifax, 60
Erasing data. See Deleting files; Destroying data.
ERRORLOG file, 266
ESCA (Electronic Stored Communications Act), 301–302
ESI (electronically stored information), 368–369
ESMTP (Extended SMTP), 188
ESN (electronic serial number), 315
Evidence. See also Crime scene.
class characteristics, 94
collection. See E-discovery, data collection; Network search, post-incident evidence collection; Network search, proactive evidence collection.
electronic. See Digital evidence.
examination, investigation stage, 387–388
individual characteristics, 94
latent, 94
patent, 94
provided under duress, 76
timeline for. See Chain of custody.
uncovering. See Discovery.
Evidence, admissibility. See also Authenticity of evidence; Federal Rules of Evidence.
constitutional constraints, 75
credibility, 74
evidence provided under duress, 76
flowchart, 73
material, 72
prejudice, 74
probitive, 72
relevance, 72
Evidence handling. See also Data acquisition.
determining usability, 102
intrusion detection, 107
McKeever Test, 102
overview, 100
packaging evidence, 105
packaging materials, 105
photographing evidence, 104
policies and procedures, 470
secure evidence storage facilities, 107
securing the storage area, 107
transporting evidence, 105–106
video surveillance, 107
Evidence handling, computer systems
capturing live information, 103, 104
CDs, 103
DVDs, 103
floppy disks, 103
labeling cables and connectors, 104
networked computers, 104
removing the battery, 103
storing digital media, 103
VPNs (virtual private networks), 103
EWF (Expert Witness Format), 124–125
EWFACQUIRE, 124
ex ante (before the fact) action, 26
Excel
creating timelines, 19
loading registry file, 343
metadata, extracting, 181
Exclusionary rule
warrantless searches, 44
Exculpatory, definition, 513
Exigent circumstances, mobile device forensics, 323
Expansion slots for forensics workstations, 434
Experion, 60
becoming recognized as, 31
conditions for, 31
CV (curriculum vitae), 31
definition, 514
neutrality, 31
regulation of, 31
Ext file systems, 137
$Extend metadata file, 136
Extended Log fields, 242
Extended SMTP (ESMTP), 188
Extensible Markup Language (XML), 234
External storage units, 416
Exxon Valdez incident, 13
Eyewitnesses, 31
Fair Credit Reporting Act of 1970, 60
False negatives, 206
False publicity, 30
Faraday, Michael, 420
Faraday bags, 98
Faraday shields, 420
Fast meta refresh, 224
FDPA (Fair Debt Collection Practices Act of 2006), 62
Federal Rules of Civil Procedure (FRCP). See FRCP (Federal Rules of Civil Procedure).
Federal Rules of Evidence. See also Evidence.
admissibility of evidence, 11. See also Evidence, admissibility.
definition, 514
expert witnesses, 31
eyewitnesses, 31
issuing a warrant (41b), 40
Fees, certification, 447
Felt-tipped pens, 421
FERPA (Family Educational Rights and Privacy Act) of 2008, 63–64
cloud forensics, 303
divulging passwords, 27
File Allocation Tables, 133–135
File extensions
File formats for disk images
AFF (Advanced Forensic Format), 126
DD (bit for bit) images, 124
EWF (Expert Witness Format), 124–125
IDIF (iLook Default Image Format), 127
IEIF (iLook Encrypted Image Format), 127
iLook, 127
IRBF (iLook Raw Bitstream Format), 127
summary of, 123
File headers
file metadata, 156
File metadata. See also Metadata.
common examples, 178
data attribute, 154
file header, 156
human-readable vs. binary, 156
magic numbers, 157
NTFS attributes, 154
overview, 153
sample, 156
File names, Microsoft file system, 134
File objects, UNIX/Linux file systems, 137–138
File recovery. See also Data recovery.
LBD (Long Block Data) standard, 139–140
from slack space. See Data carving.
from unallocated space. See Data carving.
Clearing and Sanitizing Matrix, 142
cloud forensics, 291
Department of Defense specifications, 142
hidden files, 142
INFO file, 142
INFO2 file, 142
Recycle Bin, 142
File recovery, Microsoft file systems
8.3 file names, 134
$BadClus metadata file, 135–136
File Allocation Tables, 133–135
file names, 134
IDEMA (International Disk Drive Equipment and Materials Association), 139
LBD (Long Block Data) standard, 139–140
MFT (Master File Table), 135, 144
slack space, description, 138–140
slack space vs. unallocated space, 140
storage devices, layout, 132–133
summary of, 132
from unallocated space, 140
File recovery, UNIX/Linux file systems
Ext, 137
Reiser, 137
UFS (UNIX File System), 137
File structure
overview, 153
sample, 156
File systems. See Microsoft file systems; UNIX/Linux file systems.
File Transfer Protocol (FTP), 214
File wipes, browser history analysis, 227–230
Filematch, 409
Files. See also Documents.
comparing hash values, 369–370
duplicates vs. near duplicates, 369–370
embedded in other files, 146
internal identifiers, 153
last access time stamp, 160
last modification time stamp, 160–162
naming conventions for case management, 381–382
Film cameras, as threat to privacy, 30
Filter categories, e-discovery, 371–372
Filtering steganography, 351
Financial privacy. See Privacy legislation, financial.
Finder, 406
Findings, final report, 392
Finley, U.S. v., 323
Firefox, browser history, 220
assigning accountability, 29
copyright infringement, 29
“dance hall proprietor vs. landlord” argument, 29
DMCA (Digital Millennium Copyright Act), 29
ISPs and, 29
LiveJournal, 29
vs. pedophilia, 29
pirated intellectual property, 29
press, definition of, 28
YouTube, 29
First response
Electronic Crime Scene Investigation:..., 91
Flash disk files, displaying, 272
Floppy disks
evidence handling, 103
Microsoft file system, 133–134
fls, 163
Focus categories. e-discovery, 371–372
Footprints, software, 116
For-profit organizations, as revenue source, 478–479
Forensic, definition, 514
Forensic ComboDock, 122
Forensic Computers, Inc., 415, 428–429
Forensic Dossier, 119
Forensic PC, 415
Forensic Recovery of Evidence Device Diminutive Interrogation Equipment (FREDDIE), 425, 427
Forensic Recovery of Evidence Device (FRED), 425–427
Forensic Tool Kit (FTK). See FTK (Forensic Tool Kit).
Forensic Ultra Dock, 118
Forensics
computer analysis, 92. See also Digital forensics.
definition, 92
accessibility of data, 425
authenticity of data, 425
computer power, 424
computer security, 424
definition, 424
features, 417
Forensics workstations, building
The A+ Guide to PC Hardware Maintenance and Repair, 423
PC Hardware Maintenance and Repair, 417
requirements, 418
Upgrading and Repairing PCs, 423
Forensics workstations, building (hardware)
32-bit vs. 64-bit systems, 432, 438
AMD processors, 431
DDR (dual data rate) memory, 432
dual-channel memory, 432
enclosures, 430
expansion slots, 434
front side bus, 431
I/O ports, 437
Intel processors, 431
memory card reader, 437
memory density, 433
multicore processors, 431
RDRAM (Rambus Dynamic Random Access Memory), 432
Tableau controllers, 436
Tableau write protection devices, 436
Forensics workstations, building (software)
applications, 439
GIMP, 439
image processing, 439
KOffice, 439
Office, 439
office suites, 439
OpenOffice, 439
OpticsPro, 439
Photoshop, 439
Windows 7, 438
Forensics workstations, buying
FRED (Forensic Recovery of Evidence Device), 425–427
FREDDIE (Forensic Recovery of Evidence Device Diminutive Interrogation Equipment), 425, 427
TriTech Forensics, 429
Forms, samples
chain of custody, 509
forensic imaging data, 510
photographs of physical disk, 510
physical disk information, 510
search warrants, 506
subpoenas, 507
agent of the government, 25–26
cloud forensics issues, 301–302
fishing expeditions, 24
probable cause, 26
reasonable expectation of privacy, 26
unreasonable search and seizure, 25–26
Writs of Assistance, 24
FQDN (Fully Qualified Domain Name), 214–215, 514
Fragmented files, data carving, 146
Frameworks for case management, 380
FRCP (Federal Rules of Civil Procedure)
civil investigations, 9
disclosure (Rule 26f), 361–363
expert witnesses, 31
eyewitnesses, 31
role of electronic documentation (Rule 34), 358
FRED (Forensic Recovery of Evidence Device), 425–427
FREDDIE (Forensic Recovery of Evidence Device Diminutive Interrogation Equipment), 425, 427
Fricosu, Ramona, 75
Front side bus, 431
Fruit of a poisonous tree, 88
creating timelines, 19
e-discovery, 370
EWF support, 124
live capture of registry entries, 331
FTP (File Transfer Protocol), 214
Fully Qualified Domain Name (FQDN), 214–215, 514
Garbage, reasonable expectation of privacy, 39, 274
Gargoyle, 354
GCFA (GIAC Certified Forensic Analyst), 443–444
GCFE (GIAC Certified Forensic Examiner), 443–445
General case documentation, 14–15
General warrants. See Writs of assistance.
Georgia v. Randolph, 48
GIAC Certified Forensic Analyst (GCFA), 443–444
GIAC Certified Forensic Examiner (GCFE), 443–445
GIAC (Global Information Assurance Certification), 443
GIAC Reverse Engineering Malware, 443
GIMP (Graphics Image Manipulator Program), 439
Governance, policies and procedures, 468
GPS (Global Positioning System), 311–313
Graceful shutdown, data destruction, 143
Graham-Leach-Bliley Act of 1999, 61–62
Grand, Joe, 119
Grants, as revenue source, 480
Graphics Image Manipulator Program (GIMP), 439
Greenwood, California v., 39, 274
GREP
Linux, 405
Macintosh OSX, 406
searching hidden data, 180–181
Group communications, e-mail searches, 207
Grouping VMs (virtual machines), 292
GSM (Global System for Mobile Communications), 310–311
Guessing passwords, 348
Guest operating systems, VMs, 291–292
Guidance Software
certification program, 450
detecting duplicate files, 370
Encase Forensics, 408
evidentiary tools, 7
EWF (Expert Witness Format), 124
Neutrino, 408
Tableau controllers, 436
write-protect interfaces, 415
Guidelines for Evidence Collection and Archiving, 112
Hagopian v. Publix Supermarkets, Inc., 362
Handling evidence. See Evidence handling.
Handshaking packet, 188
Hard disks
collecting data from. See Data acquisition from media.
Microsoft file system, 133–137
physical disk information, sample form, 510
Hard skills, certification, 445
A Hardware-Based Memory Acquisition..., 119
Hardware inventory at crime scenes, 99–100
Hardware memory capture, 119–120
Hargrove v. Commonwealth, 21
Hash, definition, 514
Hash utility, 409
Hash values
rolling hash, 370
Hashing the memory image, 114
HDAT2, 338
HEAD, 406
Health care, privacy legislation, 62–63
Health Insurance Portability and Accountability Act (HIPAA) of 1996, 62–63
admissibility as evidence, 75–76
definition, 514
Hellman tables, 349
HELO packet, 188
Hidden files, Recycle Bin, 142. See also File recovery.
Hiding data. See also Covert data.
in an ADS (alternate data stream), 344–346
common file metadata, 178
document metadata, 166–175, 178–181
finding hidden streams, 346
HPA/DCO data hiding, 338
HPA (Host Protected Area), 337–338
partition slack, 339
tools for finding, 168, 178–181, 338. See also specific tools.
warrens, 337
Hiding data, in the registry
field values, 343
tools, 342. See also specific tools.
HIPAA (Health Insurance Portability and Accountability Act) of 1996, 62–63
Hiring, policies and procedures, 469
Histogram of e-mail account activity, 206
History of events. See Timeline.
HKEY_USERS, Windows registry, 328–331
HLR (Home Locator Register), 310
Hooks, detecting, 117
Horowitz, U.S. v., 40
Host operating systems, VMs, 291–292
Host protected area, 514
Hosted application management, 282
Howard et al., U.S. v., 25
HPA/DCO data hiding, 338
HPA (Host Protected Area), 337–338
HTML (HyperText Markup Language), 216
HTTP 300 message, 224
HTTP (Hypertext Transfer Protocol)
Internet addresses, 214
HTTPERR Web server logs, 235
HTTPS (Hypertext Transfer Protocol Secure), 214
Human-readable metadata vs. binary metadata, 156
Hybrid cloud, 279
I/O ports, 437
i4i Limited Partnership v. Microsoft Corporation, 13
IaaS (Infrastructure as a Service), 280–282
ICCID (Integrated Circuit Chip Identifier), 315
IDEMA (International Disk Drive Equipment and Materials Association), 139
Identification/assessment, 4–5
IDIF (iLook Default Image Format), 127
IDX files, 192
IEIF (iLook Encrypted Image Format), 127
IIS ODBC (Open Database Connectivity) Web server logs, 234
IISMSID Web server logs, 235
iLook, 127
Image extraction, cell phones, 320–321
Image processing
forensic imaging data, sample form, 510
forensics workstations, 439
legal argument for, 123
photographs of physical disk, sample form, 510
IMAP (Internet Message Access Protocol), 189, 514
IMEI (International Mobile Equipment Identity), 315–316
Inaccessible data, 366–367, 514
Inadvertence approach
authenticity of evidence, 78
plain view doctrine, 78
Inadvertent discovery of child pornography, 78
Inboxes, e-mail
multiple per user, 195
sharing, 195
Incriminating, definition, 514
Inculpatory, definition, 514
Individual characteristics of evidence, 94
INFO file, 142
INFO2 file, 142
Information store, definition, 514
Infrastructure as a Service (IaaS), 280–282
Installed software, extracting registry history by user, 331
Instances, 282. See also VMs (virtual machines).
Integrated Circuit Chip Identifier (ICCID), 315
Intel processors, 431
Intelligent Computer Systems, 415
Internal investigations
International Disk Drive Equipment and Materials Association (IDEMA), 139
International Mobile Equipment Identity (IMEI), 315–316
International Society of Forensic Computer Examiners (ISFCE), 448
Internet addresses
FQDM (fully qualified domain name), 214–215
FTP (File Transfer Protocol), 214
HTTP (Hypertext Transfer Protocol), 214
HTTPS (Hypertext Transfer Protocol Secure), 214
overview, 213
scheme, 214
top-level domain, 215
URLs (Uniform Resource Locators), 213–214
Internet Explorer, browser history, 219
Internet history, tools for tracing, 19
Internet Message Access Protocol (IMAP), 189, 514
Intrusion detection, 107
Intrusion on seclusion or solitude, 30
Investigation model
collection/acquisition, 5
flowchart, 3
identification/assessment, 4–5
investigator’s burden of proof, 5
legal documentation, listing, 4–5
criminal investigations, 10–12
Investigation stage, case management
crime scene management, 385–386
lab preparation, 386
Investigations, 1. See also specific types.
Invisible files. See File recovery.
IP addresses
spoofing, 254
IRBF (iLook Raw Bitstream Format), 127
ISFCE (International Society of Forensic Computer Examiners), 448
ISPs (Internet service providers), First Amendment protection, 29. See also Service providers, electronic communication.
IXimager, 127
Jackson, Dorothy, 82
Jarrett, U.S. v., 87
JavaCool Software, 168
Jefferson, William, 67
Jeter v. Commonwealth, 21
John Doe, U.S. v., 75
John the Ripper, 349
Jurisdiction in cyberspace, 85–86
Jurisdictional issues, cloud forensics, 285
Kazeon Systems, 372
KeeLog, 251
Kendra D’Andrea, U.S. v., 88
KeyCapture, 251
Keygrabber Wi-Fi, 251
Keyloggers
definition, 515
proactive evidence collection, 251–252
Keystrokes, recording, 251–252
Keyword searches, e-mail, 205
Kill switch on targeted equipment, 41–42
Kirk, Paul L., 93
Knock and announce rule, 41
Knowledge of possession, 222–224
KOffice, 439
Kornblum, Jesse, 271
Lab preparation, 386
Laptop computer, as forensic tool, 419
Laser printers, retrieving evidence from, 100
Latent evidence, 94
Laws. See Constitution of the United States; Privacy legislation; specific laws.
LBD (Long Block Data) standard, 139–140
LDE (Linux Disk Editor), 405
LDF (log data file), 298
Least significant bit (LSB) insertion, steganography, 351
Legal aspects of investigations. See Constitution of the United States; Privacy legislation; specific issues.
Legal/ethical issues of starting a forensics shop, 471–472
Legislation. See Constitution of the United States; Privacy legislation; specific legislation.
Licensing, 452–453. See also Certification.
Linux, forensics workstations, 438–439
Linux, tools
DD (Disk Dump), 405
GREP, 405
LDE (Linux Disk Editor), 405
suites, 407
Litigation, definition, 515
definition, 515
Live acquisition, Web servers, 233–234
Live connection information, 261–262
Live response, 113–115. See also Data acquisition from memory.
LiveJournal, 29
Locard’s exchange principle, 93
Lockdown, 408
Log files. See also Web server logs.
definition, 515
investigation, creating, 118–119
Log files, post-incident evidence collection
application logs, 263, 264–268
AVG Antivirus logs, 268
database activity logs, 266
ERRORLOG file, 266
log.trc file, 266
McAfee Antivirus logs, 267–268
overview, 262
SQL Server Agent log, 266
SQL Server Error log, 266
SQL Server Profile log, 266
SQLAGENT.OUT file, 266
Symantec Antivirus logs, 267
Log Parser 2.2, 236
$LogFile metadata file, 136
Logging per server, 238
Logicube, 119
LogParser, 342
Logs
database transaction logs, 298
LDF (log data file), 298
Log.trc file, 266
Long Block Data (LBD) standard, 139–140
Longevity of digital evidence, 95
Lossless
abstraction layers, 399
definition, 515
steganography compression, 350
Lossy
abstraction layers, 399
definition, 515
steganography compression, 350
Lost files. See File recovery.
Lovell v. City of Griffin, 28
LSB (least significant bit) insertion, steganography, 351
Lyons, U.S. v., 39
MAC (modify, access, create) file data
~fls utility, 163
access attribute, 160
analysis tool, 163
body file, 163
creating a timeline, 19
definition, 515
DM (document management) systems, 164
EM (entry modified) attribute, 160–162
file creation time stamp, 159–160
investigative uses for, 162–164
last access time stamp, 160
last modification time stamp, 160–162
modifying attribute, 160
The Sleuth Kit, 163
timeline creation, 163
Macintosh OSX, tools
Finder, 406
GREP, 406
HEAD, 406
overview, 406
MACtime, 19
Magic numbers, 157
Mail delivery agent (MDA), 186, 515
Mail folders, 191
Mail transport agent (MTA), 186, 515
Mail user agent (MUA), 186, 515
Malware, detecting, 227
Mancusi v. DeForte, 49
Mandiant Systems, 117
Mann, U.S. v., 78
Maresware, 354
Masking, steganography, 351
Master database file (MDF), 296, 298–299
Master File Table (MFT), 135, 144, 223, 332–335
Material evidence, 72
.mbx files, 192
MBX files, 192
.mbx folders, 191
McAfee Antivirus logs, 267–268
McFadden, Martin, 45
McKeever, U.S. v., 102
McKeever Test for evidence handling, 102
MD5 hash
calculating, 118
definition, 515
MDA (mail delivery agent), 186, 515
MDF (master database file), 296, 298–299
Measured service, cloud computing, 278
MEID (mobile equipment identifier), 315–316
Memory
acquiring data from. See Data acquisition from memory.
density, 433
as a device, 116
forensics workstations, 432–433
system vs. addressable, 114–115
Memory card reader, 437
Memory Grabber Forensic Tool, 119
Memoryze, 117
Messages, steganography, 351
Metadata. See also Documents, metadata; File metadata; Temporary files.
British Government incident, 167–168
definition, 515
deleted documents, proving existence of, 159–162
vs. documents, cloud forensics, 285
UNIX/Linux file systems, 137–138
Metadata, types of
summary, 158. See also specific types.
Metadata Analyzer, 181
Metadata Extraction Tool, 178
Metadata files
tools, 135
Metadiscover, 408
Metaviewer, 409
Metrics for software tools, 400
MFCE (Mobile Forensics Certified Examiner), 448–449
MFI (Mobile Forensics, Inc.), 448–449
MFT (Master File Table), 135, 144, 223, 332–335
MFT metadata, effects of deleting files, 229
$MftMirr metadata file, 136
MHDD, 338
Micro-SIM cards, 314
8.3 file names, 134
$BadClus metadata file, 135–136
File Allocation Tables, 133–135
file names, 134
IDEMA (International Disk Drive Equipment and Materials Association), 139
LBD (Long Block Data) standard, 139–140
MFT (Master File Table), 135, 144
slack space, description, 138–140
slack space vs. unallocated space, 140
storage devices, layout, 132–133
summary of, 132
from unallocated space, 140
Microsoft products. See specific products.
Miller, U.S. v., 302
MIME (Multipurpose Internet Mail Extensions), 196, 515
Mini-SIM cards, 314
Minus sign (-), Boolean operator, 205
Mnemonics as passwords, 349
Mobile devices, forensics. See also specific devices.
exigent circumstances, 323
presumption of ownership, 323–324
search and seizure laws, 322–323
Mobile equipment identifier (MEID), 315–316
Mobile Forensics, Inc. (MFI), 448–449
Mobile Forensics Certified Examiner (MFCE), 448–449
Mobile Switching Center (MSC), 310
Modify, access, create (MAC) file data. See MAC (modify, access, create) file data.
Modifying attribute, 160
MoonSols toolkit, 118
Most, U.S. v., 40
Most recently used (MRU) files, extracting registry history, 328–331
Most recently used (MRU) sites, Web browsers, 217
MRU (most recently used) files, extracting registry history, 328–331
MRU (most recently used) sites, Web browsers, 217
MSC (Mobile Switching Center), 310
MTA (mail transport agent), 186, 515
MUA (mail user agent), 186, 515
Multicore processors, 431
Multiple users on a computer, authenticity of evidence, 80–81, 83
Multipurpose Internet Mail Extensions (MIME), 196, 515
National Library of New Zealand, 178
Native format, 374
NCH files, 192
NCSA (Common Log) Web server logs, 234
Near-native format, 374
NEAR operator, 205
net sessions command, 262
net share command, 262
net use command, 262
Netcat, 118
Netstat, definition, 516
netstat command, 262
Network connections, listing, 262
Network forensics, Windows tools, 403–404
Network Instruments, 255
Network interface cards (NICs), promiscuous mode, 257
Network search. See also Virtual networking.
response plan objectives, 250
Network search, evidence collection
Network search, post-incident evidence collection
application logs, 263, 264–268
AVG Antivirus logs, 268
database activity logs, 266
ERRORLOG file, 266
log.trc file, 266
McAfee Antivirus logs, 267–268
overview, 262
SQL Server Agent log, 266
SQL Server Error log, 266
SQL Server Profile log, 266
SQLAGENT.OUT file, 266
Symantec Antivirus logs, 267
Network search, proactive evidence collection
acquisition window, 255
altering the source IP, 254
anonymous remailers, 254
authenticity, verifying, 254–255
blanket search, 252
collecting passwords, 251
consent exception, 252
DNS cache poisoning, 254
interception devices, 251
IP spoofing, 254
live connection information, 261–262
net sessions command, 262
net share command, 262
net use command, 262
netstat command, 262
network connections, listing, 262
onion routing, 254
Ordinary Course of Business exception, 252
password requirements, modifying, 262
promiscuous mode, 257
sessionizing, 257
shared resources, listing, 262
tapping private computers, 252
tools, 251, 255–256. See also specific tools.
Network search, router and switch forensics
command history, listing, 272
#copy startupconfig tftp command, 272
#dir slot command, 272
flash disk files, displaying, 272
nonvolatile information, collecting, 272–273
nonvolatile information, definition, 269
NVRAM (Nonvolatile Random Access Memory), 272
#show history command, 272
#show users command, 272
startup configuration, copying, 272
tools, 271–272, 274. See also specific tools.
users, listing, 272
volatile information, collecting, 270–272
volatile information, definition, 268–269
Networked computers, evidence handling, 104
Neutrino, 408
Nicodema S. Scarfo et al., U.S. v., 252
NICs (network interface cards), promiscuous mode, 257
No-knock warrants
definition, 516
knock and announce rule, 41
Nodes, 292
Nonprofit organizations, as revenue source, 479–480
Nonvolatile information
definition, 269
NOT operator, 205
Notepad++, loading registry file, 343
Novell log files. See Proxy server logs, Novell.
NSLookup, 516
NTFS attributes, 154
NTFS metafiles, 333
Null cipher
definition, 516
steganography, 354
NVRAM files, 293
NVRAM (Nonvolatile Random Access Memory), router and switch forensics, 272
NWAdmin, 243
Observer, 255
O’Connor v. Ortega, 324
ODBC, 243
Office, 439
Office suites, 439
Oliver v. U.S., 39
Omnibus Control and Safe Streets Act of 1968, 58
On-demand service, cloud computing, 278
Onion routing, 254
Open Database Connectivity (IIS ODBC) Web server logs, 234
OpenOffice, 439
Operating systems, forensics workstations, 438–439
OpticsPro, 439
OR operator, 204
Oracle, 292
Order of volatility, data acquisition, 112
Ordinary Course of Business exception, 252
Ortiz, U.S. v., 322
OS metadata, value of, 159–162
OS utilities, 401
O’Scannlain, Diarmuid F., 49
Ostensible authority
definition, 516
description, 49
Outgoing messages, 188
Outlook
overview, 193
PST files, 193
version history, 194
Outlook Express
CLSID (content class identifier), 192
file formats, 192
IDX files, 192
.mbx files, 192
MBX files, 192
NCH files, 192
overview, 192
version history, 192
P2 Explorer, 328
P2P (peer to peer) networking, 288
PaaS (Platform as a Service), 284
Packaging evidence, 105
Paraben Certified Forensic Examiner (PCFE), 452
Paraben Certified Mobile Examiner (PCME), 452
Paraben Software
certification program, 451–452
Decryption Collection, 408
Device Seizure, 321
Eclipse, 320
Lockdown, 408
P2 Explorer, 328
Project-A-Phone, 320
Registry Analyzer, 178
Save-A-Phone, 321
StrongHold pouch, 319
Parse, definition, 516
Particularity
definition, 516
search, 84
search warrant requirements, 36
Partition slack, 339
Partitions
definition, 516
Microsoft file system, 132–133
Pasco, 221
Password cracking
@ (at sign) in, 349
brute-force attacks, 349
cracking algorithms, 349
e-mail addresses as, 349
guessing, 348
Hellman tables, 349
mnemonics as, 349
rainbow tables, 349
recovering from media, 122
tools, 349
Password-encoded accounts, authenticity of evidence, 80–81, 88
Passwords
cell phone, extracting, 320–321
collecting during proactive evidence collection, 251
concealed at a crime scene, 100
Fifth Amendment protection, 27, 303
forced surrender of, 303
multiple user access to, 284
requirements, modifying, 262
Patent evidence, 94
Patriot Act, sneak and peek warrants, 42
Payton v. New York, 38
PC Hardware Maintenance and Repair, 417
PCFE (Paraben Certified Forensic Examiner), 452
PCME (Paraben Certified Mobile Examiner), 452
PCs for forensics work. See Forensics workstations.
Pedophiles. See also Child pornography.
exposed by vigilantes, 88
on LiveJournal, 29
private citizens searching for, 88
Peer to peer (P2P) networking, 288
PendMoves, 404
Personal property, warrantless searches, 47–48
Personnel, starting a forensics shop, 472–473
Perverted Justice, 88
PG Pinpoint, 408
Phone companies. See Service providers, electronic communication.
Photographing evidence, 104
Photoshop, 439
Physical disk information, sample form, 510
Physical disk photographs, sample form, 510
Physical evidence vs. digital, 94–96
Physician/patient privilege, 64–65
PII (personally identifiable information)
definition, 516
handling, 473
PIN (personal identification number)
cell phones, 314
description, 314
Pin unlock key (PUK), 314
Pinpoint Labs
Metadiscover, 408
PG Pinpoint, 408
SafeCopy, 408
Pinpoint Tools
Filematch, 409
Hash, 409
Metaviewer, 409
Safecopy, 409
Piping commands, 124
Pirated intellectual property, 29
Pivotal Guidance, 409
authenticity of evidence, 77–79
computers as containers, 79
definition, 516
exception to reasonable expectation of privacy, 39
inadvertence approach, 78
overview, 77
search and seizure, 37
in civil cases, 1
in criminal cases, 1
definition, 517
as stakeholder, 12
Platform as a Service (PaaS), 284
Plus sign (+), Boolean operator, 205
PMBOK (Project Management Book of Knowledge), 14
PMI (Project Management Institute), 14
Policies and procedures, in a forensics shop
accepting assignments, 469
evidence handling, 470
governance, 468
hiring, 469
procedural policies, 470
training, 469
Pop-up bombs, 224
POP3 (Post Office Protocol 3), 188–189, 517
Port 25, e-mail protocols, 188
Port 143, e-mail protocols, 189
Port replicator, 122
Post-incident evidence collection. See Network search, post-incident evidence collection.
Powering off devices
destroying data during graceful shutdown, 143
with encryption, 348
pulling the plug, 143
Precision, e-mail searches, 206
Prejudiced, definition, 517
Prejudicial of evidence, 74, 517
Preparation stage, case management, 381–382
Present possession concept, 222
Presenting results, case management, 388–389
Preservation
Preservation orders
definition, 517
description, 59
for documents, 164
Press, definition of, 28
Presslock evidence bags, 421
Pretexting provision, 62
Privacy, right to
appropriation of name or likeness, 30
in the Constitution of the United States, 29–30
embarrassing public disclosure, 30
false publicity, 30
film cameras as threat to, 30
individual, 30
intrusion on seclusion or solitude, 30
laws restricting, 30
“Privacy,” 30
The Right to Privacy, 30
seclusion and solitude tort, 30
“Privacy,” 30
The Privacy Act of 1974, 56–58
Privacy legislation. See also Reasonable expectation of privacy.
FERPA (Family Educational Rights and Privacy Act) of 2008, 63–64
HIPAA (Health Insurance Portability and Accountability Act) of 1996, 62–63
rights covered in the Constitution, 29–30, 55
Privacy legislation, financial
CRA (Consumer Reporting Agencies), guidelines for, 60
credit reports, 60
debt collection, 62
Fair Credit Reporting Act of 1970, 60
FDPA (Fair Debt Collection Practices Act of 2006), 62
Graham-Leach-Bliley Act of 1999, 61–62
overview, 59
pretexting provision, 62
Right to Financial Privacy Act of 1978, 60–61
Privacy legislation, general privacy
audit trails, 57
ECPA (Electronic Communications Privacy Act of 1986), 58–59
ECS (Electronic Communications Services), 58
Omnibus Control and Safe Streets Act of 1968, 58
overview, 56
The Privacy Act of 1974, 56–58
private communications over electronic media, 58–59
RCS (Remote Computing Services), 58
SCA (Stored Communication Act), 58
Wiretap Act, 58
Privacy legislation, privileged information
attorney/client privilege, 64–65
exceptions to, 66
overview, 64
physician/patient privilege, 64–65
protective orders, 66
Private citizens performing searches
vs. agents of the government, 38
Artists Against 419, 88
constitutional limitations, 86–87
fruit of a poisonous tree, 88
limits of the Constitution, 86–87
for pedophiles, 88
Perverted Justice, 88
for scam artists, 88
“wink and the nod” approach, 87
Private communications over electronic media, privacy legislation, 58–59
Private investigators, as agents of the government, 25–26
Private sector organizations
reasonable expectation of privacy, 49
Privileged information. See also Privacy legislation, privileged information.
definition, 517
Proactive evidence collection. See Network search, proactive evidence collection.
Probable cause
ex ante (before the fact) action, 26
in the Fourth Amendment, 26
search warrants, 36
Probitive evidence, 72
Procedural documentation, 15–18
Process documentation, 18
Processes, acquiring data from. See Data acquisition from memory.
Processor power, forensics workstations, 430–431
Product testing, 475
Project-A-Phone device, 320
Project management, documentation, 13
Project Management Book of Knowledge (PMBOK), 14
Project Management Institute (PMI), 14
Prosser, William, 30
Protected mode, Web browsers, 219
Protecting non-targeted information, 290–291
Protective orders
definition, 517
privacy legislation, 66
Proxy, definition, 517
access log, 243
cache log, 243
configuration log, 243
file formats, 239
file naming conventions, 239
Squid, 243
Proxy server logs, analyzing
Sawmill utility, 244
WebTrends utility, 243
BUTIL utility, 243
Common Log fields, 240
CSAUDIT utility, 243
Extended Log fields, 242
NWAdmin utility, 243
ODBC utility, 243
tools, 243
Proxy servers. See also Web servers.
overview, 238
purpose of, 238
PSFile, 404
PSList, 404
PSService, 404
PST files, 193
.pst folders, 191
Public cloud, 279
Public sector organizations, warrantless searches, 49–50
PUK (pin unlock key), 314
PyFlag, 124
Quon, City of Ontario, California v., 324
Radio frequency isolation, 318–319
Rakas v. Illinois, 39
RAM (random access memory), 315
Ramses IX, ancient case document, 379
Rangwala, Glen, 168
RAT (Router Audit Tool), 272
RCS (Remote Computing Services), 58
RDRAM (Rambus Dynamic Random Access Memory), 432
RE: prefix, e-mail, 197
Real-time monitoring, cloud forensics, 291
Reasonable anticipation of litigation, 362
Reasonable expectation of privacy. See also Privacy legislation.
closed container clause, 38–39
cloud forensics, 302
definition, 517
factors determining, 38
in the Fourth Amendment, 26
law enforcement exceptions, 57
multiple users on a computer, 80–81, 83
non-U.S. citizens, 57
password-encoded accounts, 80–81, 88
plain view exception, 39
in private sector organizations, 49
searches, 38
stored electronic information in the hands of a third party, 39–40
Recall, e-mail searches, 206
Recipient frequency, e-mail searches, 207
Records, Computers, and the Rights of Citizens, 56
Recovering files or data. See Data recovery; File recovery.
Recycle Bin. See also Deleted files; File recovery.
deleting files, 142
$Recycle Bin file, 144
Redundant pattern encoding, steganography, 351
regedit (registry editor), 402–403
accessing, 225
browser history analysis, 225–226
Registry, extracting history from
deleted applications, 330
HKEY_USERS, Windows registry, 328–331
installed software, by user, 331
MRU (most recently used) files, 328–331
SID (Security Identifier), 329
tools, 331. See also specific tools.
Registry, hiding data in
field values, 343
tools, 342. See also specific tools.
Registry Analyzer, 178
RegRipper, 331
Reiser file system, 137
Relevance
definition, 518
digital evidence, 96
Relevant, definition, 518
Relevant evidence, 72
Reliability of digital evidence, 95
Remote Computing Services (RCS), 58
Report writing, contents, 389–390
Report writing, structure
acquisition and preparation, 391–392
case summary, 391
findings, 392
Reporting. See also Documentation.
policies and procedures, 470–471
software for cell phones, 321
Resource pooling, cloud computing, 278
Revenue sources. See also Costs.
corporate departments, 480–481
for-profit organizations, 478–479
grants, 480
nonprofit organizations, 479–480
overview, 478
Reviewing potential data, 372–373
Revision history, viewing, 168, 170–171
Reyes, U.S. v., 39
Right to Financial Privacy Act of 1978, 60–61
Right to privacy
appropriation of name or likeness, 30
in the Constitution of the United States, 29–30
embarrassing public disclosure, 30
false publicity, 30
film cameras as threat to, 30
individual, 30
intrusion on seclusion or solitude, 30
laws restricting, 30
legal precedence for, 30
“Privacy,” 30
The Right to Privacy, 30
seclusion and solitude tort, 30
The Right to Privacy, 30
Riverbed, 255
Rodriguez, U.S. v., 251
Rolling hash, 370
ROM (read-only memory), 315
RootkitRevealer, 404
Rootkits
definition, 114
Ross, U.S. v., 38
Rotating logs, 237
Router Audit Tool (RAT), 272
Router forensics. See Network search, router and switch forensics.
Royal & Sunalliance ... v. Lauderdale Marine Center, 362
Runtime
Captain Nemo, 409
Disk Explorer for FAT, 409
Disk Explorer for NTFS, 409
DriveImageXL, 409
DriveLook, 409
SaaS (Software as a Service), 282–284
SafeCard Services, Inc. v. SEC, 366
Salgado, U.S. v., 323
Save-A-Phone product, 321
Sawmill, 244
SCA (Stored Communication Act), 58
Scalpel, 149
Scam artists, private citizens searching for, 88
Scan once/print many devices, 99
Schemes
definition, 518
Internet addresses, 214
Schneckloth v. Bustamonte, 47
Scope of search. See also Breadth of search.
defining, 84
definition, 518
e-discovery, 362
Scope of the investigation. See Investigation scope.
Screen capture, cell phones, 320
Search, legal bounds. See also Warrantless searches.
breadth, 84
defining the scope, 84
exceeding the scope of the warrant, 38
particularity, 84
performed by a private citizen. See Private citizens performing searches.
reasonable expectation of privacy, 38
specificity, 84
Search and seizure. See also Unreasonable search and seizure.
fishing expeditions, 24
mobile device forensics, 322–323
offices of the press, 28
plain view doctrine, 37
sequence of events, 27
Search incident to arrest (SITA), cell phones, 317
Search processes, e-discovery, 363–364
after-hours, 41
after hours, 511
documenting execution of, 41
e-mail searches, 203
exception to requiring. See Plain view doctrine.
general. See Writs of assistance.
for offices of the press, 28
particularity requirements, 36
private citizens performing searches, 87–88
probable cause, 36
sample form, 506
Search warrants, no-knock
definition, 516
knock and announce rule, 41
Search warrants, sneak and peek
definition, 518
delayed notice, 42
description, 42
Patriot Act provisions, 42
third-party assistance, 42
Searching. See E-mail searches.
Searching and Seizing Computers..., 64–65, 67
Seclusion and solitude tort, 30
Sectors
definition, 518
Microsoft file system, 132–133, 139
Secure evidence storage facilities, 107
Secure Hash Algorithm
256-bit (SHA256), 518
512-bit (SHA512), 518
$Secure metadata file, 136
Security
forensics workstations, 424
Seizure, 37, 518. See also Search and seizure.
Server logs. See Proxy server logs; Web server logs.
Servers. See E-mail information stores, e-mail servers; Proxy servers; Web servers.
Service providers, electronic communication. See also ISPs (Internet service providers).
basic subscriber information, 58
categories of customer information, 58–59
content information, 59
customer records, 58
preservation orders, 59
voluntary release of information, 59
Serving subpoenas, 50
Sessionizing evidence collection, 257, 518
SHA1 hash, calculating, 118
Shared resources, listing, 262
#show history command, 272
#show users command, 272
Shred, 108
SID (Security Identifier), 329
Signatures, steganography, 354
SilentRunner, 408
SIM (Subscriber Identity Module) cards, 313–315, 518
Similar users, e-mail searches, 206
SIMless phones, 314
Simple Mail Transport Protocol (SMTP), 188
Single sign-on (SSO) security, 283
SITA (search incident to arrest), cell phones, 317
64-bit vs. 32-bit forensics workstations, 432, 438
Slack space
definition, 518
recovering data from. See Data carving.
vs. unallocated space, 140
Slacker, 338
The Sleuth Kit
browser history analysis, 220
for evidentiary use, 7
timelines from MAC data, 163
Smart cards, encryption, 347
Smart PC Solutions, 181
SmartCarving, 146
Smear images, 116
SMTP (Simple Mail Transport Protocol), 188
Snapshots, virtual machines, 294–295
Sneak and peek warrants
definition, 518
delayed notice, 42
description, 42
Patriot Act provisions, 42
third-party assistance, 42
Societal recognition of privacy, 38–39, 81
Soft skills, certification, 445
Software as a Service (SaaS), 282–284
Software change control, 477–478
Software memory capture, 117–119. See also Data acquisition from memory and running processes.
Sorting records, browser history analysis, 221
Specificity, search, 84
Spoliation
definition, 518
Spoofing
e-mail addresses, 188
IP addresses, 254
SQL MDF viewer, 298
SQL Server Agent log, 266
SQL Server Error log, 266
SQL Server Profile log, 266
SQLAGENT.OUT file, 266
SQUID, 519
Squid proxy server, 243
ssdeep fuzzy hashing algorithm, 370
SSO (single sign-on) security, 283
Stability of digital evidence, 95
Stakeholders
accused, 12
accuser, 12
Standalone computers, evidence handling, 103–104
organizational certification, 481–483
PII (personally identifiable information), handling, 473
Starting a shop, building from scratch
estimating startup costs, 462–466
facilities improvement costs, 466
hardware acquisition costs, 463–464
logistics of building, 460–462
operational planning aspects, 461–462
preplanning, 459
scope of services, 460
software acquisition costs, 464–466
Starting a shop, change control
Starting a shop, policies and procedures
accepting assignments, 469
evidence handling, 470
governance, 468
hiring, 469
procedural policies, 470
training, 469
Starting a shop, revenue sources
corporate departments, 480–481
for-profit organizations, 478–479
grants, 480
nonprofit organizations, 479–480
overview, 478
Starting a shop, technology management
adding new technology, 475–476
choosing equipment, 474
product testing, 475
support infrastructure, 474–475
Startup configuration, copying for router and switch forensics, 272
Stateful applications, 289
Stateless applications, 289
Statements requesting a warrant. See Affidavits.
Stationary user profiles, 206
StegAlyzer AS, 354
StegAlyzer SS, 354
Steganografia, 350
Steganography
algorithms, 351
carriers, 351
cover files, 351
definition, 519
detecting, 354
dictionary attacks, 354
filtering, 351
lossless compression, 350
lossy compression, 350
LSB (least significant bit) insertion, 351
masking, 351
messages, 351
null cipher, 354
overview, 350
redundant pattern encoding, 351
signatures, 354
stegoimage, 351
stegokey, 351
transformations, 351
StegBreak, 354
StegDetect, 354
Stego Watch, 354
Stegoimage, 351
Stegokey, 351
Storage device layout, Microsoft file system, 132–133
Storage models, cloud forensics, 287–288
Stored Communication Act (SCA), 58
Storing
digital media, 103
Streams, 404
string (Linux utility), 180
String search, file system metadata, 333
Strings (of text), recovering, 140–141
strings (Windows utility)
description, 404
wildcard searches, 180
StrongHold pouch, 319
Student information, privacy legislation, 63–64
SUBJECT: field, e-mail, 196–197
Subjective expectation of privacy, 81
definition, 519
description, 36
Subpoenas
federal vs. state, 37
for journalists, 28
to produce materials. See Subpoena duces tecum.
proposing alternate conditions, 51
purpose of, 50
rules for issuing, serving, and executing, 50
sample form, 507
serving, 50
vs. warrants, 36
Subscriber Identity Module (SIM) cards, 313–315, 518
Superblocks, UNIX/Linux file systems, 137–138
Switch forensics. See Network search, router and switch forensics.
Syba I/O panels, 437
Symantec Antivirus logs, 267
SysInternals, 404
SYSINTERNALS suite, 346
System auditing, proactive evidence collection, 252–254
System memory vs. addressable, 114–115
System Research and Application Corporation, 119
Systools, 298
Tableau controllers, 436
Tableau write protection devices, 436
TAC (Type Allocation Code), 316
Tapping private computers, 252
Tarasoff v. Regents of the University of California, 65
TDMA (Time Division Multiple Access), 310–311
Teams, case management, 382. See also Taint teams.
Teams of virtual machines, 292
Technician’s toolkit, 414
Technology management
adding new technology, 475–476
choosing equipment, 474
product testing, 475
support infrastructure, 474–475
Technology Pathways, 127
Templates, documentation, 16–17
automatic deletion, 175
creating, 172
Terry v. Ohio, 45
Testimony
definition, 519
hearsay rule, 31
to material not witnessed by the speaker. See Hearsay.
Text Retrieval Conference (TReC), 205
Third-party assistance, sneak and peek warrants, 42
32-bit vs. 64-bit forensics workstations, 432, 438
Threat assessment, case management, 381
Time Division Multiple Access (TDMA), 310–311
Timeline Maker, 20
browser history, creating, 220, 227
definition, 519
for evidence. See Chain of custody.
Timelines, creating
example, 19
MAC file data, 163
MAC (modify, access, create), file data, 19
browser history, 220
definition, 519
Tobacco industry, e-mail searches, 205
Tools (hardware), nontechnical
adhesive labels, 421
digital audio recorder, 420
Faraday shields, 420
felt-tipped pens, 421
laptop computer, 419
overview, 418
presslock evidence bags, 421
Tools (hardware), technical
Advanced Test Products, 415
Digital Intelligence, 415
external storage units, 416
Forensic Computers, Inc., 415
Forensic PC, 415
forensics workstations, 416–418
Guidance Software, 415
Intelligent Computer Systems, 415
overview, 413
technician’s toolkit, 414
WiebeTech, 118, 122, 416, 428–429
write-protect interfaces, 414–416
Tools (software). See also specific tools.
Adroit Photo Forensics, 146
Bee Docs, 20
Canon Imageware, 298
Captain Nemo, 409
Capture, 408
carver-recovery, 149
cell phone acquisition, 317–321
cell phone storage, 319
CFTT (Computer Forensics Tool Testing), 411
data abstraction layers, 396–398
data acquisition from media, 124–128
Decryption Collection, 408
demonstrating sound use of, 412–413
Directory Snoop, 135, 143–144, 409
Disk Explorer for FAT, 409
Disk Explorer for NTFS, 409
Disk Investigator, 409
displaying metadata files, 135
DocScrubber, 168
DriveImageXL, 409
DriveLook, 409
e-mail analysis, 206
e-mail header extraction, 199–202
e-mail searches, 206
EDiscovery, 408
EMT (E-mail Mining Toolkit), 206
Encase Forensics, 408
EWFACQUIRE, 124
Excel, 19
extracting registry history, 331
file recovery, 135, 140–141, 143–144
Filematch, 409
Forensic ComboDock, 122
Forensic Dossier, 119
Forensic Replicator, 408
Forensic Ultra Dock, 118
FTK (Forensic Tool Kit), 124
hardware memory capture, 119–120
Hash, 409
hidden data, reading, 168, 178–182
hiding data in slack space, 338
hiding data in the registry, 342
Internet history, tracing, 19
IXimager, 127
Lockdown, 408
Log Parser 2.2, 236
logging in a case log, 412
MAC analysis, 163
MACtime, 19
Memory Grabber Forensic Tool, 119
Memoryze, 117
Metadata Analyzer, 181
Metadiscover, 408
Metaviewer, 409
metrics for capabilities, 400
MoonSols toolkit, 118
Netcat, 118
Neutrino, 408
OS utilities, 401. See also specific operating systems.
Outlook header extraction, 199–202
P2 Commander, 408
password cracking, 349
PG Pinpoint, 408
proxy server log analysis, 243–244
PyFlag, 124
recovering temporary files, 175
Registry Analyzer, 178
Safecopy, 409
SafeCopy, 408
Scalpel, 149
SilentRunner, 408
software memory capture, 117–119
SQL MDF viewer, 298
strings, 131
suitability for purpose, 398–401
Timeline Maker, 20
Trace, 408
Tribble, 119
user activity, tracing, 19
Visio, 19
Web server logs, 236
Web servers, 233
X-Ways Trace, 19
Tools (software), browser history analysis
BUTIL, 243
The Coroner’s Toolkit, 233
CSAUDIT, 243
Directory Snoop, 223
Log Parser 2.2, 236
NWAdmin, 243
ODBC, 243
Pasco, 221
Sawmill, 244
summary of, 230
WebTrends, 243
Tools (software), e-discovery
Analysis and Review package, 372
concept extraction, 372
ZyLab Discovery, 372
Tools (software), Encase
creating timelines, 19
e-discovery, 370
saving images in EWF (Expert Witness Format), 124
Tools (software), evidence collection
CascadeShark, 255
Computer Watchdog, 251
EndaceExtreme, 255
KeyCapture, 251
Keygrabber Wi-Fi, 251
keyloggers, 251
Observer, 255
Tools (software), FTK (Forensic Tool Kit)
creating timelines, 19
e-discovery, 370
EWF support, 124
live capture of registry entries, 331
Tools (software), Linux
DD (Disk Dump), 405
GREP, 405
LDE (Linux Disk Editor), 405
suites, 407
Tools (software), Macintosh OSX
Finder, 406
GREP, 406
HEAD, 406
overview, 406
Tools (software), router and switch forensics
CREED (Cisco Router Evidence Extraction Disk), 271
Metasploit, 274
RAT (Router Audit Tool), 272
router and switch forensics, 271–272, 274
Tools (software), The Sleuth Kit
browser analysis, 220
for evidentiary use, 7
timelines from MAC data, 163
Tools (software), Windows
Autoruns, 404
downloading, 401
dumpchk.exe, 404
EFSDump, 404
PendMoves, 404
PSFile, 404
PSList, 404
PSService, 404
regedit (registry editor), 402–403
RootkitRevealer, 404
Streams, 404
strings, 404
suites, 407
SysInternals, 404
Userdump, 404
Top-level domains
Internet addresses, 215
Web browsers, 215
Trace, 408
Tracing e-mail sources, 202–203, 208–210
Training, policies and procedures, 469
Transacted compound file, 335–336
Transporting evidence, 105–106
TransUnion, 60
Trash. See Garbage.
TReC (Text Retrieval Conference), 205
Triangulation
between cellular towers, 311–313
definition, 519
Tribble, 119
Trigger point, e-discovery, 362
Trilateration, cell phones, 311–313
TriTech Forensics, forensics workstations, 429
Trithemius, Johannes, 350
Trojan horse defense, 227
True negatives, 206
True positives, 206
Tucker, U.S. v., 223
Turbocharge device, 319
Type Allocation Code (TAC), 316
UFED (Universal Forensic Extraction Device), 320–321
UFS (UNIX File System), 137
definition, 519
recovering data from. See Data carving.
recovering files from, 140
vs. slack space, 140
Uniform Resource Locators (URLs). See URLs (Uniform Resource Locators).
Unique identifiers, 376
Universal Forensic Extraction Device (UFED), 320–321
UNIX File System (UFS), 137
Ext, 137
Reiser, 137
UFS (UNIX File System), 137
Unknownuser (vigilante), 86–87
Unprovoked flight, 46
Unreasonable search and seizure
in the Fourth Amendment, 25–26
societal recognition of privacy, 81
subjective expectation of privacy, 81
two-component test, 81
$Upcase metadata file, 136
Upgrading and Repairing PCs, 423
Upjohn v. U.S., 65
URL logging, Web browsers, 217
URLs (Uniform Resource Locators)
definition, 520
URLSCAN Web server logs, 235
USB devices at crime scenes, 98
Userdump, 404
Users
actions, establishing, 224–230
activity, tracing, 19
extracting registry history, 328–331
listing, router and switch forensics, 272
names, in e-mail addresses, 187
Vantec I/O panels, 437
Video recorder, as forensic tool, 419–420
Video surveillance, 107
Viking DNA, 95
Virtual adapter (VNIC), 293
Virtual local area networks (VLANs), 293
Virtual Machine Manager application, 292
Virtual machines (VMs). See VMs (virtual machines).
Virtual networking. See also Network search.
VLANs (virtual local area networks), 293
VNIC (virtual adapter), 293
VSs (virtual switches), 293–294
Virtual PC application, 292
Virtual private networks (VPNs), 103
Virtual server applications, 292
Virtual switches (VSs), 293–294
VirtualBox application, 291–292
Virtualization. See also Cloud computing; Virtual networking.
for IaaS (Infrastructure as a Service), 281–282
instances, 282. See also VMs (virtual machines).
nodes, 282
overview, 291
servers. See Nodes.
virtual machines. See Instances.
Visio, 19
Visitor Locator Register (VLR), 310
VLANs (virtual local area networks), 293
VLR (Visitor Locator Register), 310
VMDK files, 292
VMEM files, 292
VMs (virtual machines). See also Virtualization.
grouping, 292
guest operating systems, 291–292
host operating systems, 291–292
NVRAM files, 293
server applications, 292
teams, 292
VMDK files, 292
VMEM files, 292
VMSD files, 292
VMSN files, 292
VMSS files, 293
VMTM files, 293
VMX files, 293
VMXF files, 293
VMSD files, 292
VMSN files, 292
VMSS files, 293
VMTM files, 293
VMX files, 293
VMXF files, 293
VNIC (virtual adapter), 293
Volatile information
$Volume metadata file, 136
Voluntary release of information. See also Warrantless searches, with consent.
consent to search, 81
in corporate environments, 88
medical facilities, 63
service providers, electronic communication, 59
VPNs (virtual private networks), 103
VSs (virtual switches), 293–294
W3C fields, 237
W3C Web server logs, 234
.wab folders, 191
Wardlow, Illinois v., 45
exclusionary rule, 44
health care information, 63
by medical facilities, 63
mitigating circumstances, 45
unprovoked flight, 46
Warrantless searches, with consent. See also Voluntary release of information.
assumed permission, 48
categories of consent, 47
erroneous assumption of authority, 83
parental permission over children, 48
potential issues, 46
private sector organizations, 48–49
public sector organizations, 49–50
shared computers, 83
Warrants. See Search warrants.
Washington, Earl, 95
browser engine, 216
browsing Web sites, 217
cached files, location of, 219
caching information, 216
cookies, 217
effects on performance, 216
HTML (HyperText Markup Language), 216
MRU (most recently used) sites, 217
parsing HTML, 216
top-level domains, 215
URL logging, 217
Web browsers, browser history
analysis tools, 220
cached history, 219
cookies, storage location, 219
Firefox, 220
Internet Explorer, 219
overview, 219
protected mode, 219
settings, 218
The Sleuth Kit, 220
timelines, creating, 220
timestamps, 220
Web Historian, 220
Web browsers, browser history analysis
control of digital material, 226–227
counting contraband, 230
DAT files, displaying, 221
detecting active measures, 227–230
detecting malware, 227
establishing user actions, 224–230
evidence of deleted files, 223
fast meta refresh, 224
goal of forensic analysis, 222
HTTP 300 message, 224
identifying specific records, 221
job of the investigator, 222–224
knowledge of possession, 222–224
MFT (Master File Table), 223
MFT metadata, effects of deleting files, 229
for multiple users, 224
pop-up bombs, 224
present possession concept, 222
sorting records, 221
timeline, creating, 227
tools, 221, 223, 225, 227, 230, 233
Trojan horse defense, 227
user intent and control, 226–227
Website Profiler, 233
Web Historian, browser history analysis
downloading, 231
redirected URLs, 225
for undetermined browsers, 220
AWSTATS log, 236
Log Parser 2.2, 236
parsing, 236
tools, 236
Web server logs, analyzing
centralized logging, 238
epoch time conversion, 237–238
logging per server, 238
rotating logs, 237
W3C fields, 237
access log, 235
access_log, 235
error log, 235
error_log, 235
httpd.pid file, 236
NCSA (Common Log), 235
Rewrite log, 236
Script log, 236
BIN (Centralized Binary), 234
HTTPERR, 235
IIS ODBC (Open Database Connectivity), 234
IISMSID, 235
NCSA (Common Log), 234
URLSCAN, 235
W3C, 234
XML (Extensible Markup Language), 234
Web servers. See also Proxy servers.
The Coroner’s Toolkit, 233
tools, 233
Website Profiler, 233
WebTrends, 243
Wetstone Technologies, 354
WiebeTech
components in forensic workstations, 428–429
Forensic ComboDock, 122
Forensic Ultra Dock, 118
write-protect interfaces, 416
William A. Gross Constr. Assocs., Inc. v. Am. Mfrs. Mut. Ins. Co., 365
William Anderson Jarrett, U.S. v., 87
Williams, Curtis, 79
Williams, Karol, 79
Williams, U.S. v., 79
Wilson v. R, 72
Windows, tools
Autoruns, 404
downloading, 401
dumpchk.exe, 404
EFSDump, 404
PendMoves, 404
PSFile, 404
PSList, 404
PSService, 404
regedit (registry editor), 402–403
RootkitRevealer, 404
Streams, 404
strings, 404
suites, 407
SysInternals, 404
Userdump, 404
Windows 7, forensics workstations, 438
Windows registry. See Registry.
Windows Web server logs. See Web server logs, Windows.
“Wink and the nod” approach, 87
WIPE.EXE, 108
Wiretap Act, 58
Witnesses. See Expert witnesses; Eyewitnesses.
Word
autosave function, 336
directed compound file, 335–336
metadata, extracting, 181
redo function, 336
transacted compound file, 335–336
Write-protect interfaces, 414–416
Write-protected port replicator, 122
Writing reports. See Report writing.
Writs of Assistance, 24
X-Ways Forensics
Capture, 408
duplicate files, detecting, 370
Trace, 408
Winhex, 408
X-Ways Trace, 19
XML (Extensible Markup Language), 234
Young, U.S. v., 323
YouTube, First Amendment protection, 29
Ziegler, U.S. v., 49
Zubulake v. UBS Warburg, 11–12, 362
ZyLab Discovery, 372
3.137.217.17